Databases Reference
In-Depth Information
° Variables can be used in either the
name
attribute or body of this
nested
param
tag. We will see an example of this under the
Creating
a custom drilldown
section.
•
flags
: Every example of
addterm
that I can find includes this attribute,
exactly as written. It essentially says that the term to be added to the search
should be added before the first pipe symbol, not at the end of the full query.
For example, consider the following query:
error | top logger
This param would amend our query like this:
error source="*metrics.log" | top logger
Creating a custom drilldown
A drilldown is a query built using values from a previous query. The module
ConvertToDrilldownSearch
will build a query automatically from the table or
graph that it is nested inside. Unfortunately, this only works well when the query
is fairly simple, and when you want to see raw events. To build a custom drilldown,
we combine intentions and the nested nature of modules.
Building a drilldown to a custom query
Looking back at our chart in the
Reusing a query
section, let's build a custom
drilldown that shows the top instances of another field when it is clicked on.
Here is an example dashboard that draws a chart and then runs a custom query
when clicked on:
<view template="dashboard.html">
<label>Chapter 8 - Drilldown to custom query</label>
<!-- chrome -->
<module
name="HiddenSearch"
layoutPanel="panel_row1_col1"
autoRun="True"
group="Errors by user">
<param name="search">
sourcetype="impl_splunk_gen" loglevel=error | top user
</param>
<param name="earliest">-24h</param>
Search WWH ::
Custom Search