How to customize drilldown options

How to customize drilldown options

By default, all tables and charts provide drilldown capability into the relevant events. In views created with the visual dashboard editor or simple XML, you can set up a few options for drilldown search. Learn more about the basic options for table chart drilldown in the User Manual.

However, if the basic table and chart drilldown configurations don't suit your needs, you can configure other behavior via the advanced XML syntax. For example, you may want to send your drilldowns to views other than flashtimeline. Or you may want to generate your chart from one search and drilldown to run a separate search. You will first need to create an advanced dashboard, as described earlier in this manual. Then, you can change the default drilldown behavior for any table or chart in your dashboard.

This page includes a few examples of advanced drilldown configurations. There are many customization options with the advanced XML, but these examples should help get you started. For more examples, see the UI examples app posted on Splunkbase.

Add chrome

Start out your view by adding the chrome and nav:

<view onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Drilldown view</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

Next, decide what kind of drilldown you'd like to build and pick one or more of the following configurations.

Add a drilldown pattern

All table and chart drilldown start with the basic drilldown pattern, which is built with the following modules:

• HiddenSearch: Use this module to specify the search that populates your chart or table.
• SimpleResultsTable: Display your results.
• ConvertToDrilldownSearch: Enables drilldown with all the defaults.
• ViewRedirector: Specify what view to send your users to when they click on the chart or table.

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">host=foo OR bar</param>
  <param name="earliest">-1h</param>
    <module name="SimpleResultsTable">
      <param name="displayRowNumbers">False</param>
      <param name="drilldown">row</param>
      <param name="entityName">results</param>
        <module name="ConvertToDrilldownSearch">
        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
        </module>
        </module>
    </module>
</module>

This basic pattern sets up a drilldown search on a table. When a user clicks a row within the table, they will be redirected to relevant search results in the flashtimeline view.

Advanced examples

Here are a few examples of the customized drilldown actions that you can create with the advanced XML.

Change the default click behavior

You can use the advanced XML to change the behavior when a user clicks on a table or chart. You may want to send them to another view besides the flashtimeline, or you may want to display another chart below the first table or chart.

Launch a search in a new view

With a small edit to the default drilldown configuration, you can open a search in a view other than flashtimeline. Just change the viewTarget param of theViewRedirector module. Note that if a user clicks to drilldown, the new view will open in the same window. To open in a new window, ctrl-click (or command-click on a Mac).

This example opens up drilldown click searches in a view called MyCustomView.

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">host=foo OR bar</param>
  <param name="earliest">-1h</param>
    <module name="JobProgressIndicator"></module>
    <module name="SimpleResultsTable">
      <param name="displayRowNumbers">False</param>
      <param name="drilldown">row</param>
      <param name="entityName">results</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirector">
            <param name="viewTarget">MyCustomView</param>
          </module>
        </module>
      </module>
</module>

Drilldown to a new chart

Here's an example that opens a new chart below when a user clicks to drilldown on the initial chart. This example includes a bar chart that displays the top ten sourcetypes by total volume indexed. A click on a bar causes a second chart to open below the initial one. The second drilldown chart displays the average eps over time for the sourcetype that was clicked, over the same period of time used to collect the sums in the original search.

And here's the XML behind this example:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | chart sum(kb) over series | sort -sum(kb) | head 10</param>
    <param name="earliest">-1h</param>
    <module name="HiddenChartFormatter">
      <param name="charting.chart">bar</param>
      <param name="charting.primaryAxisTitle.text">Sourcetype</param>
      <param name="charting.secondaryAxisTitle.text">KB Indexed</param>
      <param name="charting.legend.placement">none</param>
      <module name="JobProgressIndicator"/>
      
      <!-- here's the FlashChart that we'll click on -->
      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>

        <!-- we swap out the search to be a timechart.  -->
        <module name="HiddenSearch">
          <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | timechart avg(eps)</param>
          <param name="earliest">-1h</param>
          <!-- this module uses $click.value$ to grab the value we clicked on and put it in as a searchterm, 
series="someSourcetype". NOTE: use $click.value$ for "row" drilldown configurations (always takes 
the value of the first cell in the row the user clicks) and $click.value2$ for "cell" drilldown configurations 
(always takes the value of the cell the user clicks).   -->
          <module name="ConvertToIntention">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="series">$click.value$</param>
              </param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>

            <!-- We throw in a header so we can tell the user what they clicked on. -->
            <module name="SimpleResultsHeader">
              <param name="entityName">results</param>
              <param name="headerFormat">EPS over time for sourcetype=$click.value$ $time$</param>
            </module>
            <module name="HiddenChartFormatter">
              <param name="chart">line</param>
              <param name="primaryAxisTitle.text">Time</param>
              <param name="secondaryAxisTitle.text">events per second</param>
              <param name="legend.placement">none</param>
              <module name="FlashChart">
                <param name="width">100%</param>
                <param name="height">160px</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

Swap out the underlying search

You can wire up your drilldown click to launch a different search than the search that generates the data in the table or chart. There are a couple of reasons to do this:

• you're building charts and tables on searches of a summary index.
• you're building charts and tables on metadata searches.

If you keep the default drilldown behavior, these searches won't really result in a useful set of events. So it's best to swap out the drilldown search. You do this by adding in another HiddenSearch or HiddenSavedSearch module in between the chart or table and the ConvertToDrilldownSearch module.

For example, say you have a dashboard timechart that's based on this summary index search:

You can use the advanced XML to wire up this dashboard panel so that drilldown clicks initiate a search that matches the events returned by the original summary index search, such as:

Here's what the XML looks like:

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">index=summary report=firewall_top100_sources_hourly | timechart count by host</param>
  <param name="earliest">-1h</param>
    <module name="HiddenChartFormatter">
      <param name="chart">line</param>
      <param name="primaryAxisTitle.text">Time</param>
      <param name="secondaryAxisTitle.text">events per second</param>
      <param name="legend.placement">none</param>
        <module name="FlashChart">
          <param name="width">100%</param>
          <param name="height">160px</param>
            <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
              <param name="search">sourcetype=cisco sourcetypetag=production | timechart count by host</param>
                <module name="ConvertToDrilldownSearch">
                  <module name="ViewRedirector">
                    <param name="viewTarget">flashtimeline</param>
                  </module>
                </module>
            </module>
        </module>
    </module>
</module>

• Was this topic useful?
• Post a comment