时间戳

首页 > 解决方案 > Splunk 仪表板多次向下钻取

splunk - Splunk 仪表板多次向下钻取

问题描述

我在仪表板中有 3 个面板 - 面积图(从服务器日志中填充数据)、条形图(从访问日志中填充数据)和一个面板,当我们单击图表中的数据点时,它会显示搜索结果。当我单击面积图中的数据点时,搜索工作正常并更新名为 DataPanel 的面板。但是,当我单击条形图上的数据点时,它会弄乱所有数据并多次显示相同的数据。下面是我目前正在使用的 xml。

请提供任何建议来修复搜索。

<form theme="light">
  <label Dash</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tkn_dom">
      <label>Domain</label>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <search>
        <query>|eventcount summarize=false index="*_dom" | dedup index | fields index</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="tkn_sourcetype" searchWhenChanged="true">
      <label>Log Source Type</label>
      <search>
        <query>|metadata type=sourcetypes index=$tkn_dom$ | fields sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <default>access_log</default>
      <initialValue>access_log</initialValue>
    </input>
    <input type="dropdown" token="tkn_host" searchWhenChanged="true">
      <label>Host</label>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>| metadata type=hosts index=$tkn_dom$ | fields host</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="tkn_search_txt" searchWhenChanged="true">
      <label>Search Text</label>
      <default>ERROR</default>
    </input>
  </fieldset>
  <row>
    <panel id="DataChartPanel">
      <title>Logs TIme Series</title>
      <chart>
        <search>
          <query>index=$tkn_dom$ host=$tkn_host$ sourcetype=$tkn_sourcetype$ ($tkn_search_txt$) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Number of Errors</option>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.backgroundColor">#FFFFFF</option>
        <option name="charting.fontColor">#000000</option>
        <option name="charting.fieldColors">{"ERROR" : 0xF70B0B}</option>
        <drilldown>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
        </drilldown>
      </chart>
    </panel>
    <panel id="DataChartPanel1">
      <title>Access Logs</title>
      <chart>
        <search>
          <query>index=$tkn_dom$ host=$tkn_host$ sourcetype=access | chart count by StatusCode</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">175</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="tkn_sourcetype">access</set>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
          <eval token="tkn_search_txt">$click.value$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel id="DataPanel">
      <event>
        <title>Errors</title>
        <search>
          <query>index=$tkn_dom$ host=$tkn_host$ sourcetype=$tkn_sourcetype$ ($tkn_search_txt$)</query>
          <earliest>$drilldown.earliest$</earliest>
          <latest>$drilldown.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">1</option>
      </event>
    </panel>
  </row>
</form>

标签: splunksplunk-querysplunk-dashboard

解决方案

推荐阅读