Re: Link to search in new tab

manish_singh_77 · ‎06-01-2020

Hi Team,

Link to search on a new tab for raw events when we click on a particular value in the line chart?

Is it possible?

493669 · ‎06-02-2020

to apply your requirement without editing xml-

Go to edit>>clicked on three dots for particular panel where you want to apply drilldown then use like below-

493669 · ‎06-01-2020

Use below drilldown-

<option name="charting.drilldown">all</option>
 <drilldown>
      <link target="_blank">/app/myapp/mwdashboard</link>
 </drilldown>

manish_singh_77 · ‎06-01-2020

@493669

This is not what I am looking for, I have a line chart and when I would click on the line chart value then it should open up new tab which should show me the raw events.

It works fine, when I select auto option in drilldown for "link to search", however I want the same thing in new tab.

493669 · ‎06-01-2020

try below- here replace query with your query-

<option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20stats%20count%20by%20sourcetype&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>

Below is sample dashboard on sampe data-

<dashboard>
  <label>826404_line chart</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <!--drilldown>
      <link target="_blank">/app/search/592973_multiselect_remove_all</link>
 </drilldown-->
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20stats%20count%20by%20sourcetype&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

manish_singh_77 · ‎06-01-2020

@493669

I am not looking for this, my query is different, if I click on a line chart value it should display only that events.

Regards,
Manish Singh

493669 · ‎06-01-2020

at the end of query use event handler like $click.value$ which will help to display clicked event.
refer splunk docs-https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/EventHandlerReference#chart_(event_tokens)

manish_singh_77 · ‎06-02-2020

@493669

I tried click.value2 and click.name2 but the value is not getting passed when it is opening in the new tab. I have a line chart which has hosts and its error count. So when I click on line chart it should give me the raw events of that host only.

for example

index= abc sourcetype= access:logs|timechart count as error_count by host

Drilldown search: index= abc sourcetype= access:logs host=$click.value2$

493669 · ‎06-02-2020

you will require to search host=$click.name2$
I have created sample dashboard and here on click it will open clicked sourcetype
Use below for reference-

<dashboard>
  <label>826404_line chart</label>
  <row>
    <panel>
      <chart>
        <title>$abc$</title>
        <search>
          <query>index=_internal | timechart count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>

        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20timechart%20count%20by%20sourcetype%7Csearch%20sourcetype=%22$click.name2$%22&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

Link to search in new tab

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases