I want to display all the events present inside a transaction on the main dashboard by clicking on the transaction row in the table , but I am not able to return that specific transaction events and instead returning all the transactions related to that source.
So essentially, I need to see all the events present inside the clicked row (transactions) in the form of a drill down of events.
Can someone point me in the right direction please.
Thank you.
Hi pkol,
could you share your search?
Anyway, I suggest to create two panels in a dashboard, in the main panel you insert your search.
Then you can pass as token/s the field/s you used to create your transaction to the secondary panel and display the events that are in the transaction.
To know how to pass a token from a panel to another in the same dashboard, see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, if you created your transaction using a field as transaction id, I suggest to explore a different approach because the transaction command is very slow!
e.g. if you have something like this
index=my_index
| transaction trans_id
| table _time trans_id field1 field2
you can change in
index=my_index
| stats earliest(_time) AS _time values(field1) AS field1 values(field2) AS field2 count BY trans_id
that is very faster than the other.
Bye.
Giuseppe
Hi pkol,
could you share your search?
Anyway, I suggest to create two panels in a dashboard, in the main panel you insert your search.
Then you can pass as token/s the field/s you used to create your transaction to the secondary panel and display the events that are in the transaction.
To know how to pass a token from a panel to another in the same dashboard, see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, if you created your transaction using a field as transaction id, I suggest to explore a different approach because the transaction command is very slow!
e.g. if you have something like this
index=my_index
| transaction trans_id
| table _time trans_id field1 field2
you can change in
index=my_index
| stats earliest(_time) AS _time values(field1) AS field1 values(field2) AS field2 count BY trans_id
that is very faster than the other.
Bye.
Giuseppe
THANK YOU , I FIGURED IT OUT!