topic Re: Changing Display columns depending on sourcetype in Dashboards & Visualizations

Changing Display columns depending on sourcetype

praspai — Fri, 24 Aug 2018 12:49:03 GMT

In Dashboard depending on sourcetype selected in the dropdown list, we want to display different fields on the dashboard. Since fields can change in the future we have created a lookup for it. So depending on source type the lookup should be queried and get the display columns. I am trying something like below but doesn't seem to work

index=test sourcetype="XXX"|table [|inputlookup SourceType-Attributes sourcetype="XXX" | fields Attribute]

Re: Changing Display columns depending on sourcetype

renjith_nair — Fri, 24 Aug 2018 13:06:40 GMT

@praspai,

Try

index=nirds sourcetype="XXX"|lookup SourceType-Attributes sourcetype

provided sourcetype is a column inside the lookup.

Below is a run anywhere example. Here we select Argentina to create a dummy search and lookup against the lookup file

| inputlookup geo_attr_countries.csv|search country="Argentina"|lookup geo_attr_countries.csv country

Re: Changing Display columns depending on sourcetype

praspai — Fri, 24 Aug 2018 13:26:51 GMT

It's not working 😞 . It just displays the events. I want to display it in the table.

Re: Changing Display columns depending on sourcetype

kamlesh_vaghela — Fri, 24 Aug 2018 13:40:48 GMT

@praspai,

Can you please try the following approach?
1) As your lookup contains sourcetype and list of fields, use the sourcetype as a lable and list of fields as a value in dropdown.

2) Set tokens for sourcetype and fields which will be used in search query.

eg:

<input type="dropdown" token="sourcetype_tkn">
  <label>SourceType</label>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>Attribute</fieldForValue>
  <search>
    <query>| inputlookup SourceType-Attributes | fields sourcetype Attribute</query>
  </search>
  <change>
    <set token="Attribute">$value$</set>
    <set token="sourcetype">$label$</set>
  </change>
</input>

3) Use token in your search
eg.

index=test sourcetype="$sourcetype$" | table $Attribute$

Can you please try below code?

<form>
  <label>Test1</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype_tkn">
      <label>SourceType</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>Attribute</fieldForValue>
      <search>
        <query>| inputlookup SourceType-Attributes | fields sourcetype Attribute</query>
      </search>
      <change>
        <set token="Attribute">$value$</set>
        <set token="sourcetype">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
      <b>Source Type:</b> $sourcetype$  
      <b>Attribute :</b>$Attribute$  

    </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>My Table</title>
        <search>
          <query>index="_internal"  sourcetype=$sourcetype$ | table $Attribute$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

My Sample Dashboard:

<form>
  <label>Test1</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype_tkn">
      <label>SourceType</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>Attribute</fieldForValue>
      <search>
        <query>| makeresults | eval sourcetype="splunkd", Attribute="component, index, source" | append [| makeresults | eval sourcetype="splunk_web_service", Attribute="log_level, component,requestid" ] | table sourcetype Attribute</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <set token="Attribute">$value$</set>
        <set token="sourcetype">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
      <b>Source Type:</b> $sourcetype$  
      <b>Fields :</b>$Attribute$  

    </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>My Table</title>
        <search>
          <query>index="_internal"  sourcetype=$sourcetype$ | table $Attribute$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Thanks

Re: Changing Display columns depending on sourcetype

praspai — Fri, 24 Aug 2018 14:14:23 GMT

Hi @kamlesh_vaghela ,

thanks for the reply.

Your example works correctly. But in the case of fields from the lookup, its taking only first row to display. It's not displaying all columns mentioned in the lookup table.

Re: Changing Display columns depending on sourcetype

renjith_nair — Fri, 24 Aug 2018 14:32:34 GMT

just add the table command at the last with the fieldnames |table "field list"

Re: Changing Display columns depending on sourcetype

kamlesh_vaghela — Fri, 24 Aug 2018 17:00:37 GMT

@praspai,

It should work. Can you please check whether field mentioned in lookup has 100% coverage?