Hello Experts,
I am trying to get a drilldown when clicking on a Bar graph for each bar based on its Success and Failure. Below is the XML which I have worked on:
> > <condition field="Authentic">
> <set token="testsDrilldown">index=ABC
> |...</set>
> </condition>
> <condition field="BANK">
> <set token="testsDrilldown">index=ABC|...</set>
>
> </condition>
> <condition field="RTDC">
> <set token="testsDrilldown">index=ABC</set>
>
> </condition>
> </drilldown>
When I click on each of the separate bars which are AUTHENTIC, BANK, RTDC which have Success in blue and Failure in Red color as attached in the screen shot. When click on any of the failure of each type, it should display a table based on the search in the XML.
index=ABC|...
is not showing up anything.
The condition should be executed based on AUTHENTIC, BANK, OR RTDC, but it is taking the Success or Failure condition. Can it be done?
<set token="testsDrilldown">index=ABC |...</set>
</condition>
I have tried using IF else conditions, but it did not work. For the drill down to appear, it has three different searches, one for each AUTHENTIC, RTDC, BANK and that is where I am finding difficulty.
Try this
<drilldown>
<eval token="testsDrilldown">case($click.value$="AUTHENTIC", "DO SOMETHING", $click.value$="NULL", "DO SOMETHING ELSE", 1=1, "NO MATCHES")</eval>
</drilldown>
it did not work,it is not showing any drill down instead re directing to a search
Hi sundareshr
Thanks for the response ,I have tried ,but do we need to place that code for all three cases.I am pretty much new to splunk so can you please explain in detail
<drilldown>
<eval token="testsDrilldown">case($click.value$="AUTHENTIC", "DO SOMETHING", $click.value$="NULL", "DO SOMETHING ELSE", 1=1, "NO MATCHES")</eval>
</drilldown>
Do we need to change the value in $click.value$
I would suggest creating three panels. One for Success, one for Failure and one for "" and show/hide accordingly. Here is an example of how you can achieve that...
<chart>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC", "success", null())</eval>
<eval token="success">if($click.value$="somethingelse", "failure", null())</eval>
<eval token="other">if($click.value$="", "other", null())</eval>
</drilldown>
</chart>
</row>
<row>
<panel depends="$success$">
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0 | eval run="$success$ | mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search endpoint_message_log{}.eml_req_conn_uri=AUTHENTIC
</query>
</search>
</table></panel></row>
<row>
<panel depends="$failure$">
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0 | eval run="$failure$ | mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri| eval category=if('ews_transaction_log.ews_pb_response_code'="0","Success","Failure") | search endpoint_message_log{}.eml_req_conn_uri=BANK
</query>
</search>
</table></panel></row>
This will only execute the search corresponding to the token and keep the panel hidden if the token is not set.
I have tried but I have not got any luck on that
Here is a RUN ANYWHERE sample. Copy to a new dashboard. It should work. You can edit the searches to your requirement. EDITED to use the queries you have provided.
Here is a RUN ANYWHERE sample. Copy to a new dashboard. It should work. You can edit the searches to your requirement
<dashboard>
<label>Help in Drill -Down for each Bar in a Bar Graph</label>
<row>
<panel>
<chart>
<search>
<query>your search to display bar chart with success/failure.</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC" AND $click.name2$="Failure", "success", null())</eval>
<eval token="failure">if($click.value$="BANK" AND $click.name2$="Failure", "failure", null())</eval>
<eval token="other">if($click.value$!="RTDC" AND $click.name2$="Failure", "other", null())</eval>
</drilldown>
<option name="charting.chart">bar</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel depends="$success$">
<title>SUCCESS Criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:DepositingBankDCD%231 WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel depends="$failure$">
<title>FAILURE criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:PayingBankDCDTestHarness%231 WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel depends="$other$">
<title>OTHER criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
</dashboard>
sundareshr
Thank You so much for putting so much effort into this,I just want to confirm one thing that ,In the attachment which has
AUTHENTIC
BANK
RTDC
When I click on the Authentic Failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC
when I click on BANK failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN
when I click on RTDC failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*RTDC%231* WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC
and the query for the attachment is the below one
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*DepositingBankDCD%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*BankDCDTestHarness%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=0 | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category | append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri="*PayingBankDCDTestHarness%231*" | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" | table transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name,endpoint_message_log{}.eml_req_conn_uri |search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace *PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*RTDC%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*PayingBankDCDTestHarness%231" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace connection:*RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_rtdc_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |fillnull value=0
Is this the same you have understood or its different, I am sorry if I posted too many, just want to confirm
What if user clicks on BANK success? I edited the above example to show only on FAILURE
We no need to have any drill down on success of them,we just want a drill down on the failure of each of them.
Help in Drill -Down for each Bar in a Bar Graph
<panel>
<chart>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*DepositingBankDCD%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*BankDCDTestHarness%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=0 | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category | append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri="*PayingBankDCDTestHarness%231*" | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" | table transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name,endpoint_message_log{}.eml_req_conn_uri |search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace *PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*RTDC%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*PayingBankDCDTestHarness%231" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace connection:*RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_rtdc_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |fillnull value=0 </query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC" AND $click.name2$="Failure", "success", null())</eval>
<eval token="failure">if($click.value$="BANK" AND $click.name2$="Failure", "failure", null())</eval>
<eval token="other">if($click.value$!="RTDC" AND $click.name2$="Failure", "other", null())</eval>
</drilldown>
<option name="charting.chart">bar</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<title>SUCCESS Criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel depends="$failure$">
<title>FAILURE criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=BANK</query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel depends="$other$">
<title>OTHER criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*RTDC%231* WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC</query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
Did this work?
It did not work,when clicked it was not showing any drill down but it is opening a search.I dont think the token is passing
nope,i think the token is not passing and the drill down is not enabled,since I dont see any drill down when clicked it is going to a search
Is It possible in Splunk to get drill down on each bar with each bar having a separate query