Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Sideview Utils: How to make a pivot link an active...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have a dashboard that utilizes the Table module. This table displays the results of a search macro, which runs against network sensor data. I also have the Checkbox module embedded to allow analysts to acknowledge events they're reviewed, and this state gets written to a kv store collection as a second search once the checkbox is checked.
One of the fields that gets returned from the macro is a pivot link, which links to an external sensor dashboard. The structure is dynamic to a degree, and within my tabled display I have this link listed under the column "Event Link". I can't determine a way to enable drilldown using the Table module, and likewise using the SimpleResultsTable module I can't determine a way to embed the checkbox. So my question is - how can I make this pivot link an active link that analysts can click on and pivot to the sensor dashboard?
Part of my dashboard code is below. Thanks!
<view autoCancelInterval="90" isSticky="False" onunloadCancelJobs="true" template="dashboard.html">
<label>Testing Sideview</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
<param name="name">wild</param>
<param name="float">left</param>
<param name="label">Search</param>
<param name="default">*</param>
<module name="Search">
<param name=”search”>`Test_Macro(wild=”$wild$”)` | eval Acknowledge="" | lookup myLookup myIdField OUTPUT state</param>
<param name="earliest">-1d</param>
<param name="latest">now</param>
<module name="Pager">
<module name="Table">
<module name="ValueSetter" group="row.fields.Acknowledge">
<param name="name">state</param>
<param name="value">$row.fields.state$</param>
<module name="Checkbox">
<param name="name">state</param>
<param name="onValue">ack</param>
<param name="offValue"></param>
<module name="Search">
<param name="search">| inputlookup myLookup | append [stats count | fields - count | eval myIdField="$row.fields.myIdField$" | eval state="$state$"] | stats last(state) as state by myIdField | outputlookup myLookup</param>
<module name="CustomBehavior">
<param name="requiresDispatch">True</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice work getting the Checkbox to pick up the right checked state from the ValueSetter, and to then use inputlookup + append + stats + outputlookup to write the modified state when each checkbox is clicked.
To make your eventLink field value into a working drilldown link, ie a plain old clickable blue link that loads an external webpage, it's actually easy compared to the other advanced stuff here. You just Table-embed an HTML module.
ie, if "eventLink" was the field holding your URL values, you would put this just inside the Table module:
<module name="HTML" group="row.fields.eventLink">
<param name="html"><![CDATA[
<a href="$row.fields.eventLink$" target="_blank">view details</a>
]]></param>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice work getting the Checkbox to pick up the right checked state from the ValueSetter, and to then use inputlookup + append + stats + outputlookup to write the modified state when each checkbox is clicked.
To make your eventLink field value into a working drilldown link, ie a plain old clickable blue link that loads an external webpage, it's actually easy compared to the other advanced stuff here. You just Table-embed an HTML module.
ie, if "eventLink" was the field holding your URL values, you would put this just inside the Table module:
<module name="HTML" group="row.fields.eventLink">
<param name="html"><![CDATA[
<a href="$row.fields.eventLink$" target="_blank">view details</a>
]]></param>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfect, and was much easier than I expected. Any plans to add drilldown functionality to the Table module, so if an analyst would like to click on say an event ID to drilldown from within Splunk they can? I know you can do it with SimpleResultsTable, but then I'd lose the ability to embed the Checkbox.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure. Drilldown is actually a bit easier with the Table module compared to SimpleResultsTable. One thing that might have thrown you is that the tokens look like $row.fields.fieldName$ instead of $click.value$ and $click.name2$ etc. Table docs inside Sideview Utils itself have docs and examples of both "inline drilldown" and the more common kind that redirects to another view to run another search onclick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. The example threw me a bit because it was using drilldown for the entire row, not for a specific cell and I think I got lost about where to add the search in. I'll mess around with it and if I have other questions I'll post a new questions.
Thanks.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
