All Apps and Add-ons

Hide a field from JSChart

tysonstewart
Path Finder

Related to (or probably replacing) my question: How to use fieldHideList, I want to hide a field from JSChart, but use it to redirect a click to an external website. I downloaded and installed Sideview Utils hoping it would provide the functionality, but I still can't figure it out.

Am I the only one who wants to do something like this? Hide an ID, display a different value, and direct the user somewhere based on the ID? It doesn't seem like that strange of a use-case.

1 Solution

sideview
SplunkTrust
SplunkTrust

I'm afraid the JSChart is unable to do this directly. Also since patching JSChart in particular has been very tricky I'm afraid I'm not willing to offer a potential patch even though it would be a very useful one.

In the long run there will eventually be a Sideview Chart module built to replace JSChart, and I'll certainly build in this feature because absolutely it is very commonly requested.

And in the short run you actually can do this, if you're willing to learn how to play some shell games with PostProcess and ResultsValueSetter ....

In the following example, I've used the field "groupName" as the name we want to chart by visually, and I've created another field called "groupId" to stand in for the id you need to use in the drilldown search and that you do NOT want to display in the chart.

The basic idea is that both groupName and groupId are present in the base search results. PostProcess reaches in and removes the groupId so the FlashChart doesn't know it's there. Then in the drilldown wiring, another PostProcess gives us a single row result-set that just submits the groupName and gets the groupId field. Then ResultsValueSetter will reach up and pull down groupId, making it available downstream as $groupId$. Then you're done. You can use $groupId$ as though it came from the JSChart drilldown.

<module name="Search" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_*_thruput" | rename group as groupName | stats sum(kb) as KB by groupName | streamstats count as groupId</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <!-- now JSChart can't see the groupId field so it wont chart it -->
  <module name="PostProcess">
    <param name="search">fields - groupId</param>
    <module name="HiddenChartFormatter">
      <param name="charting.chart">column</param>
      <module name="JSChart">
        <!-- we create a tiny little postprocessed resultset that has only one row
        and that has both groupName and associated groupId -->
        <module name="PostProcess">
          <param name="search">search groupName="$click.value$" | table groupId</param>
          <!-- we use ResultsValueSetter to "pull down" the groupId value -->
          <module name="ResultsValueSetter">
            <param name="fields">groupId</param>
            <!-- now we can use $groupId$ to our heart's content -->
            <module name="Search">
              <param name="search">| stats count | fields - count | eval message="hey presto now you can plug groupId into any search" | eval groupId="$groupId$"</param>
              <module name="Table"/>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

View solution in original post

sideview
SplunkTrust
SplunkTrust

I'm afraid the JSChart is unable to do this directly. Also since patching JSChart in particular has been very tricky I'm afraid I'm not willing to offer a potential patch even though it would be a very useful one.

In the long run there will eventually be a Sideview Chart module built to replace JSChart, and I'll certainly build in this feature because absolutely it is very commonly requested.

And in the short run you actually can do this, if you're willing to learn how to play some shell games with PostProcess and ResultsValueSetter ....

In the following example, I've used the field "groupName" as the name we want to chart by visually, and I've created another field called "groupId" to stand in for the id you need to use in the drilldown search and that you do NOT want to display in the chart.

The basic idea is that both groupName and groupId are present in the base search results. PostProcess reaches in and removes the groupId so the FlashChart doesn't know it's there. Then in the drilldown wiring, another PostProcess gives us a single row result-set that just submits the groupName and gets the groupId field. Then ResultsValueSetter will reach up and pull down groupId, making it available downstream as $groupId$. Then you're done. You can use $groupId$ as though it came from the JSChart drilldown.

<module name="Search" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_*_thruput" | rename group as groupName | stats sum(kb) as KB by groupName | streamstats count as groupId</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <!-- now JSChart can't see the groupId field so it wont chart it -->
  <module name="PostProcess">
    <param name="search">fields - groupId</param>
    <module name="HiddenChartFormatter">
      <param name="charting.chart">column</param>
      <module name="JSChart">
        <!-- we create a tiny little postprocessed resultset that has only one row
        and that has both groupName and associated groupId -->
        <module name="PostProcess">
          <param name="search">search groupName="$click.value$" | table groupId</param>
          <!-- we use ResultsValueSetter to "pull down" the groupId value -->
          <module name="ResultsValueSetter">
            <param name="fields">groupId</param>
            <!-- now we can use $groupId$ to our heart's content -->
            <module name="Search">
              <param name="search">| stats count | fields - count | eval message="hey presto now you can plug groupId into any search" | eval groupId="$groupId$"</param>
              <module name="Table"/>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

tysonstewart
Path Finder

Nice. Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...