Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I just need to see a simple example of using click.value where my summary chart can be used to drill down to raw events.

the_wolverine
Champion
‎10-30-2012 02:41 PM

I've got a dashboard that renders using summarized data. When a user clicks on the chart, I want Splunk to return the raw events associated, not the summary events.

I believe I need to use Converttointention and click.value but I'm not getting it from the various examples posted here.

Is there a Cliff's Notes on how to do this? Learn by simple example?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-30-2012 10:46 PM

For the moment I assumed that you want the drilldown to open the flashtimeline view, and you want the events to appear there.

Here's a simple example. I know it uses the metadata command instead of a summary index search but the basic idea is the same. This wiring essentially lays the drilldown logic on top of a completely different base search.

The really weird thing, is that the HiddenSearch that you see inside the JSChart -- that search never gets executed. it's just there to trick the ConvertToDrilldownSearch module that it was the search whose results were rendered into the chart... 

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| metadata type="sourcetypes" | stats sum(totalCount) by sourcetype</param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="JSChart">
      <module name="HiddenSearch">
        <param name="search">* | stats sum(totalCount) by sourcetype</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

And just in case you or other readers are already using Sideview Utils 2.0+ (Currently 2.2.4), here's an example that uses the Sideview Utils Redirector module to do the same thing.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| metadata type="sourcetypes" | stats sum(totalCount) by sourcetype</param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="JSChart">
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search $click.searchTerms$</param>
      </module>
    </module>
  </module>
</module>

Basically instead of the Splunk modules HiddenSearch + ConvertToDrilldownSearch + ViewRedirector, you would just use the Sideview Redirector module (Note you'll need at least a 2.X version of Utils for this example to work).

For further reading, for the core Splunk modules and techniques in the first example, there's an example in the UI Examples app, on the "drilldown_intro" page. But you have to scroll down to the 6th row -- the one titled "Custom wiring: using Generic drilldown into a different base search". Also if the base search has an eval in it or something that ConvertToDrilldownSearch can't handle, you'll have to step up to a ConvertToIntention module and it gets a bit hairy.

And for examples on the Sideview side, there are lots of examples, for instance in the "linking" section. And if after all this you actually wanted the events to appear underneath the chart rather than in a new window, that's actually simpler and you can check out the "inline drilldown" page in Utils.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-31-2012 10:14 AM

I was just trying to get it to work 🙂 Thanks for your example, I think the main issue is with my converted Advanced XML which includes many unnecessary params.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-30-2012 10:46 PM

For the moment I assumed that you want the drilldown to open the flashtimeline view, and you want the events to appear there.

Here's a simple example. I know it uses the metadata command instead of a summary index search but the basic idea is the same. This wiring essentially lays the drilldown logic on top of a completely different base search.

The really weird thing, is that the HiddenSearch that you see inside the JSChart -- that search never gets executed. it's just there to trick the ConvertToDrilldownSearch module that it was the search whose results were rendered into the chart... 

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| metadata type="sourcetypes" | stats sum(totalCount) by sourcetype</param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="JSChart">
      <module name="HiddenSearch">
        <param name="search">* | stats sum(totalCount) by sourcetype</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

And just in case you or other readers are already using Sideview Utils 2.0+ (Currently 2.2.4), here's an example that uses the Sideview Utils Redirector module to do the same thing.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| metadata type="sourcetypes" | stats sum(totalCount) by sourcetype</param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="JSChart">
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search $click.searchTerms$</param>
      </module>
    </module>
  </module>
</module>

Basically instead of the Splunk modules HiddenSearch + ConvertToDrilldownSearch + ViewRedirector, you would just use the Sideview Redirector module (Note you'll need at least a 2.X version of Utils for this example to work).

For further reading, for the core Splunk modules and techniques in the first example, there's an example in the UI Examples app, on the "drilldown_intro" page. But you have to scroll down to the 6th row -- the one titled "Custom wiring: using Generic drilldown into a different base search". Also if the base search has an eval in it or something that ConvertToDrilldownSearch can't handle, you'll have to step up to a ConvertToIntention module and it gets a bit hairy.

And for examples on the Sideview side, there are lots of examples, for instance in the "linking" section. And if after all this you actually wanted the events to appear underneath the chart rather than in a new window, that's actually simpler and you can check out the "inline drilldown" page in Utils.

Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-31-2012 10:18 AM

Thank you, sideview 😉

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-30-2012 10:31 PM

Do you want the raw events to load in a new window like in the flashtimeline view, or do you want them to appear inline in the dashboard, right underneath the chart?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...