How to Create Multi-Link Drilldown from a Stacked Column Chart in Splunk

How to Create Multi-Link Drilldown from a Stacked Column Chart in Splunk

Hi guys !!
We have come with another interesting of Splunk. In order to making our dashboards more attractive we create drilldown in Splunk . There are lots of options with drilldown in Splunk.

You all have seen the stack option while formatting the column chart in dashboard. Now we will show you how to pass the values from stacked column chart depending upon your click.

Step 1 :

Make a dashboard with column chart visualization in stacked format. Dashboard name is Multi_Link_Drilldown. The query for main dashboard is given below.

index=_internal file=shelper OR file=control OR file=splunkd 
| timechart span=1d count(status) by file

md1

Step 2:

Create separate dashboards which you want to make dependent upon the main dashboard. Here we have created three dashboards. Those are following

Control_Drilldown

Query for the Control_Drilldown dashboard is given below.

index=_internal file=control
| stats count by sourcetype

md3

Splunkd_Drilldown 

Query for the Splunkd_Drilldown dashboard is given below.

index=_internal file=splunkd
| stats count by clientip
| sort – count
md4

Shelper_Drilldown

Query for the Shelper_Drilldown dashboard is given below.

index=_internal file=shelper
| stats count

md5

Step 3:

Now edit the source code of main dashboard. Click on Edit and the then click on Source.

md2

Step 4:

Now edit the source code of main dashboard as follows.

        <drilldown>

          <link field=”shelper” target=”_blank”>/app/search/shelper_drilldown?shelper_token=$click.name2$</link>

          <link field=”splunkd” target=”_blank”>/app/search/splunkd_drilldown?splunkd_token=$click.name2$</link>

          <link field=”control” target=”_blank”>/app/search/control_drilldown?control_token=$click.name2$</link>

        </drilldown>

Here in  stacked mode every portion is a field name so inside the link tag we have given field name for each portion by field attribute and by the target attribute links will be opened in a new tab.

After that we have to give the url of the dependent dashboards. As  we have mentioned in the Step 2 by red rectangular boxes.

For Control_Drilldown dashboard url will be /app/search/control_drilldown
For Splunkd_Drilldown dashboard url will be /app/search/splunkd_drilldown
For Shelper_Drilldown dashboard url will be /app/search/shelper_drilldown

Also you have to pass the token values depending upon click so we have given token names and action is will be $click.name2$ . By the $click.name2$ field names will pass.

For Control_Drilldown dashboard token name  will be control_token.
For Splunkd_Drilldown dashboard token name  will be splunkd_token.
For Shelper_Drilldown dashboard token name  will be shelper_token.

md6

md7

Also make sure that  <option name=”charting.drilldown”>all</option> set as all . If not then set as all.

After making changes into the source code click on Save button to save the changes. Now if you click any portion of a particular column then depending upon your click dashboards will be opened in a new tab.

Step 5:

You have to pass the token inside the panels to get the data depending upon the token value.

For Control_Drilldown dashboard click on Edit button in Control_Drilldown dashboard and then click on Edit Search option in the panel. Modify the query as follow.

md8

Click on Apply button and then click on Save to save the changes. Here control_token is the token name which we have given in the main dashboard . Token should be enclosed by “$” sign.

For Splunkd_Drilldown dashboard click on Edit button in Splunkd_Drilldown dashboard and then click on Edit Search option in the panel. Modify the query as follow.

md10

Click on Apply button and then click on Save to save the changes. Here splunkd_token is the token name which we have given in the main dashboard . Token should be enclosed by “$” sign.

For Shelper_Drilldown dashboard click on Edit button in Shelper_Drilldown dashboard and then click on Edit Search option in the panel. Modify the query as follow.

md9

Click on Apply button and then click on Save to save the changes. Here shelper_token is the token name which we have given in the main dashboard . Token should be enclosed by “$” sign.

Hope this has helped you in achieving the below requirement without fail:

How to Create Multi-Link Drilldown from a Stacked Column Chart in Splunk

 

Happy Splunking !!

Advertisements

One comment

  1. Hi,

    Can you create a post clearly explaining the tokens in splunk like $click.name2$, $click.value$ etc. ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.