HOW TO PASS FIELD VALUES FROM A SINGLE VALUE PANEL USING DRILLDOWN

HOW TO PASS FIELD VALUES FROM A SINGLE VALUE PANEL USING DRILLDOWN

Hi Guys!!!
Today we have come with an interesting trick of Drilldown, which will show how we can pass field values from a single value panel to other panel using Drilldown.
We know that using Drilldown we can pass values from one panel to other panel with the help of token. We have other blog posts where you can find out more about Drilldown.
https://splunkonbigdata.com/?s=drilldown

Here, we are taking two index “employee_info_main” and “employee_info_sub”. Both contains one field “Employee_Name” which contains the name of some Employees.

Please look at the below screenshots:
1
In the above picture we are showing the field values of Employee_Name in “employee_info_main”

2

In the above picture we are showing the field values of Employee_Name in “employee_info_sub”

Now,we will create a dashboard Named “Drilldown Trick”, where we will create two panels
Panel: 1
The number of employees from “employee_info_sub” index in Single Value visualization.
Panel: 2 (Name of the Employees)
When we click on the value of Panel 1, Panel 2 will show the Employee_Name from employee_info_main index which matches the values of Employee_Name from employee_info_sub index in Statistics table visualization.

SOUNDS DIFFICULT!!! But, we can do it very easily. So, let’s start.

You can also know about :  How To Add Time In The Dashboard Panel

Step: 1
Login to the splunk instance using your user name and password.

3

Step: 2
Click on Search and Reporting App.

4

Step: 3
The query of Panel: 1 is given below.

index=employee_info_sub 
| stats count by Employee_Name
| fields - count
| eventstats count
| table count,Employee_Name
| eval Employee_Name="\"".Employee_Name."\""
| mvcombine Employee_Name

4
Eventstats command(https://splunkonbigdata.com/2018/09/29/difference-between-streamstats-and-eventstats-command-in-splunk/).

Step: 4
We will create a dashboard named “Dashboard_Trick” and will save it as Panel: 1 and change the Visualization to “Single Value”

6

Step: 5
Now we will click on the Edit option of this Dashboard.

7

Step: 6
Go to the Source option.

8

Step: 7

2
In the above screenshot you can see that we have created drilldown in the panel: 1(Number of Employees). The below screenshot will give you better view.

3

To enable the drilldown in this panel you have to write all in the drilldown option like below,

<option name="drilldown">all</option>

Now, we have to set the token needed.

<drilldown>
<set token="Employee_Name_sub">$row.Employee_Name$</set>
</drilldown>


We have set token “$row.Employee_Name$” in “Employee_Name_sub”, which is capturing the values of Employee_name field from the query of Panel: 1(Number of Employees).
[Check the query of the of Panel: 1(Number of Employees)]
We have set one eval token which is doing some modification to the value captured in the token “Employee_Name_sub”.  By default it will take “comma” as a delimiter when it will pass as token value from a multivalue field.
Now, we will get the perfect value in the token “Employee_Name_sub” which is required to set in the Panel: 2(Name of the Employees Name of the Employees).

Step: 8
The Query of the Panel: 2(Name of the Employees) is given below:

You can also know about :  How to Find the Missing HOSTS in SPLUNK

1

index=employee_info_main | where 'Employee_Name' IN ( $Employee_Name_sub$ ) 
| table Employee_Name
| dedup Employee_Name

Here, we have mentioned the token “Employee_Name_sub” like ($Employee_Name_sub$).  | where Employee_Name IN ( $Employee_Name_sub$ ) this is another way of writing where command .Then we are using table command to get the result in tabular method.

11
In the above picture, you can see that in Panel: 2(Name of the Employees), we are getting 3 values in Employee_Name field, which matched with the values in Employee_Name field from Panel: 1(Number of Employees) with the help of Drilldown.

When It will pass the value in the second panel it will look like this :

5

See all the values are coming with a comma delimiter.
Now you use this cool trick for  Splunk Dashboard Customization.

Happy Splunking !!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.