Splunk Drill Down Option Issue

kaushal21rajput · ‎08-08-2018

Hi ,

I am trying to create a dashboard for Error OR fail* from application logs. There are three hosts from where data is reporting to splunk instance.
Now i have run search query Error OR fail* and from output result created three dashboards in single.
1. Pie chart shows count for all hosts
2. Total Number of events that have Error or fail*
3. Events for all hosts that have Error or fail*

I have 1 dropbox as well which have all three hosts. I have defined a token value "drop_box" and pass that value in search of each dashboard. Now when i am selecting any host ,data from all three dashboard shown for that host only.

Now my requirement is , when i will click pie chart for a particular host, i should get the data for that host only but i am not getting this and it shows error "could not create search". below is code.

renjith_nair · ‎08-08-2018

@kaushal21rajput,

Made the following changes to the dashboard.

Removed the host filter - you could uncomment the block if you still need it
Set the token on the click of pie and added the token to other rows

Try this and lets know whats missing.

<dashboard>
  <label>Error OR Fail</label>
  <!--
  <fieldset submitButton="false">
    <input type="dropdown" token="drop_down" searchWhenChanged="true">
     <label>Select host</label>
     <choice value="*">alll</choice>
     <choice value="blankrhel6">host1</choice>
     <choice value="searchhead">host2</choice>
     <choice value="tip">host3</choice>
     <fieldForLabel>here is output</fieldForLabel>
     <fieldForValue>check</fieldForValue>
     <default>*</default>
   </input>
  </fieldset>
  -->
  <row>
    <panel>
      <chart>
        <search>
          <query>Error OR Fail host=*| stats count by host</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <!-- SET THE TOKEN host_from_pie TO CLICKED VALUE OF PIE-->
        <drilldown>
          <set token="host_from_pie">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <!-- Hide this once the user clicks on the pie chart -->
  <row rejects="$host_from_pie$">
    <html>
      <h5 align="center">Click on the pie to get details of host</h5>
    </html>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <single>
        <title>Total Event</title>
        <search>
          <query>Error OR Fail host=$host_from_pie$ | stats count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">92</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <event>
        <search>
          <query>Error OR fail* host=$host_from_pie$</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">none</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎08-11-2018

@kaushal21rajput, does it work for you ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

kaushal21rajput · ‎08-08-2018

Below is XML code-

Error or fail

<input type="dropdown" token="drop_down" searchWhenChanged="true">
  <label>Select host</label>
  <choice value="*">alll</choice>
  <choice value="blankrhel6">host1</choice>
  <choice value="searchhead">host2</choice>
  <choice value="tip">host3</choice>
  <fieldForLabel>here is output</fieldForLabel>
  <fieldForValue>check</fieldForValue>
  <search>
    <query>Error OR fail* | stats count by $drop_dowm$</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
  <default>*</default>
</input>


<panel>
  <chart>
    <search>
      <query>Error OR Fail host = $drop_down$| stats count by host</query>
      <earliest>0</earliest>
      <latest></latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">none</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">none</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">right</option>
    <option name="charting.lineWidth">2</option>
    <option name="refresh.display">progressbar</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <drilldown>
      <link target="_blank">/app/search/error_or_fail?form.$drop_down$=$click.value$</link>
    </drilldown>
  </chart>
</panel>


<panel>
  <single>
    <title>Total Event</title>
    <search>
      <query>Error OR Fail host =$drop_down$ | stats count</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="drilldown">none</option>
    <option name="height">92</option>
    <option name="refresh.display">progressbar</option>
  </single>
</panel>


<panel>
  <event>
    <search>
      <query>Error OR fail* host="$drop_down$"</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="list.drilldown">none</option>
    <option name="list.wrap">1</option>
    <option name="raw.drilldown">none</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">none</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>

Splunk Drill Down Option Issue

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases