All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parameters from two pages

sshah_splunk
Splunk Employee
Splunk Employee
‎07-02-2013 01:51 PM

How can a view in advanced xml receive values from two different pages using URLLoader. One of the two modules supplying parameters is a drilldown from the same page.

0 Karma
Reply

sshah_splunk
Splunk Employee
Splunk Employee
‎07-15-2013 11:18 AM

Here is the xml


case_index
$case$

  <module name="TextField">
    <param name="name">case_index</param>
    <param name="label">Case number:</param>

    <param name="float">left</param>

    <module name="Search">
      <param name="search">| metadata type=hosts index="case_$case_index$" | sort
      host</param>
      <module name="Pulldown">
        <param name="name">host</param>

        <param name="label">Host:</param>
        <param name="float">left</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">host</param>
            <param name="value">host</param>
          </list>
        </param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="label">Choose...</param>
            <param name="value"></param>
          </list>
          <list>
              <param name="label">All</param>
              <param name="value">*</param>
         </list>
        </param>

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <module name="HTML" >
          <param name="html"><![CDATA[
         <b><h1>Users for case: $case_index$, host: $host$</font></h1></b><br>]]>         </param>
          </module>
<param name="search">
  index="case_$case_index$" host="$host$" source="*web_access.log" NOT user="-" | chart count(sid) as a by user </param>
<param name="groupLabel">indi</param>
<param name="earliest">0</param>
<module name="ViewstateAdapter">
  <param name="suppressionList">
    <item>count</item>
    <item>charting.chart.stackMode</item>
    <item>charting.chart</item>
    <item>charting.legend.placement</item>
    <item>displayRowNumbers</item>
    <item>charting.chart.nullValueMode</item>
    <item>charting.layout.splitSeries</item>
  </param>
  <module name="HiddenFieldPicker">
    <param name="strictMode">True</param>
    <module name="JobProgressIndicator">
      <module name="EnablePreview">
        <param name="enable">True</param>
        <param name="display">False</param>
        <module name="HiddenChartFormatter">
          <param name="charting.chart.stackMode">default</param>
          <param name="charting.legend.placement">right</param>
          <param name="charting.chart">pie</param>
          <param name="charting.layout.splitSeries">false</param>
          <param name="charting.chart.nullValueMode">gaps</param>
          <module name="FlashChart">
      <module name="Redirector">
        <param name="url">User_panel</param>
        <param name="arg.user">$click.value$</param>
        <param name="arg.case_index">Showing report for User="$case_index$"</param>
        <param name="arg.host">Showing report for User="$click.host$"</param>
     </module>   
     </module>
           <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="ViewRedirectorLink">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

The initial value for the case number comes from another page. Once you get the case number you can evaluate the host.Since I redirect from the flashchart I pass the case number along.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-02-2013 06:45 PM

You can chain together drilldowns across multiple pages, and you can certainly have a page's Redirector redirect back to the same page. It's just a matter of making sure in each case the right $foo$ keys are ending up as the right querystring arguments...

There are some nuances beyond that, like remember the cardinal rule of using $foo.rawValue$ for URL's and redirects, at least when there is such a key. the rawValue version will not be backslash-escaped or templated and that's what you want to correctly prepopulate things in the target view.

Also, if you're washing the interaction through certain kinds of "generic" interfaces, where you need to kind of overlay drilldown args down on top of form-search args, and then after Redirection prepopulate the correct form-search element.... that can be done too and it's just a matter of getting to know ValueSetter, doing $foo$ substitution in its value param (and sometimes in its name param too), and for really really open ended "report builder" style interfaces, using the Report module to act as a coordinator to keep all the drilldowns and Redirectors coordinated.

There are docs for all these bits and pieces, but if you have a more specific question feel free to post your XML or post a link to pastebin and I'll edit this answer.

UPDATE: I cleaned up your XML a lot and edited your drilldown config. Here it is. http://pastebin.com/YRmvHM65

  • autoRun="True". You had nested an autoRun="True" inside another one, which is dangerous and serves no legitimate purpose. I removed those.

  • dead/redundant code. You had a bunch of params and modules that are redundant noise carried over by the Simple XML conversion. I deleted those.

  • unnecessary nesting. Simple XML conversion nests everything inside EnablePreview and JobProgressIndicator, which doesn't do anything besides make the page harder to read. I removed that.

  • <param name="earliest">0</param>. I think this is a carryover from simple xml version too, and the absence of a timerange is the "all time" timerange so I deleted these too.

  • in the "arg.host" passed by Redirector, you were trying to get it from $click.host$, but a) the search result rows there don't have a "host" field, and that key wouldn't work to get it from a FlashChart click anyway. I think you meant to get it from the $host$ key, and since the best practice is to use $*.rawValue$ always for redirects, when the key is coming from a module like Pulldown/TextField, I've used $host.rawValue$. Similarly I didn't understand why you were passing $case_index$ as a big header string so I changed that too.

http://pastebin.com/YRmvHM65

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...