All Apps and Add-ons

Sideview Utils: Is there a way to add an 'arg.earliest' param to the HTML module for a drilldown timerange token?

subtrakt
Contributor

I would like to remove earliest=-7d@d from the drilldown search below, but keep a drilldown token to 7d@d via a param. I have to keep this as an HTML module. Is there a way I can add an 'arg.earliest' param to the HTML module?

<module name="Paginator">
            <param name="count">5</param>
            <param name="entityName">results</param>            
            <module name="Table">
              <module name="HTML" group="row.fields.TEST">
                    <param name="html"><![CDATA[       
                            <a href="flashtimeline?q=index=$row.fields.orig_index$ **earliest=-7d@d** $row.fields.TEST$" target="_blank">$row.fields.TEST$</a>
                            ]]></param>
                </module>

        </module>
    </module> 
1 Solution

sideview
SplunkTrust
SplunkTrust

OK thanks for the extra detail. It's actually far better to use our Link module here instead of the HTML module.
Note that I've also swapped out the legacy Paginator module for Sideview's Pager module. And fwiw the Splunk ConvertToDrilldownSearch module is useless in Sideview XML.

This will give you a paged table, where each table cell under the "TEST" column has been made into a little link, and where clicking that link takes the user to search for that given row's index, in the flashtimeline view, in a new browser window.

<module name="Pager">
  <param name="count">5</param>
  <module name="Table">
    <module name="Link" group="row.fields.TEST">
      <param name="label">$row.fields.TEST$</param>
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search $row.fields.orig_index$</param>
        <param name="popup">True</param>
      </module>          
   </module>
</module> 

And if you want to pass along the existing timerange, you can give the Redirector <param name="arg.latest">$search.timeRange.latest$</param> and/or <param name="arg.earliest">$search.timeRange.earliest$</param>

View solution in original post

sideview
SplunkTrust
SplunkTrust

OK thanks for the extra detail. It's actually far better to use our Link module here instead of the HTML module.
Note that I've also swapped out the legacy Paginator module for Sideview's Pager module. And fwiw the Splunk ConvertToDrilldownSearch module is useless in Sideview XML.

This will give you a paged table, where each table cell under the "TEST" column has been made into a little link, and where clicking that link takes the user to search for that given row's index, in the flashtimeline view, in a new browser window.

<module name="Pager">
  <param name="count">5</param>
  <module name="Table">
    <module name="Link" group="row.fields.TEST">
      <param name="label">$row.fields.TEST$</param>
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search $row.fields.orig_index$</param>
        <param name="popup">True</param>
      </module>          
   </module>
</module> 

And if you want to pass along the existing timerange, you can give the Redirector <param name="arg.latest">$search.timeRange.latest$</param> and/or <param name="arg.earliest">$search.timeRange.earliest$</param>

subtrakt
Contributor

Works great except for <param name="popup">True</param>

Does popup param work for you on the Link module? Popup param works for me on your other modules. Am I doing something wrong or is there a work-around?

<module name="HiddenSavedSearch"  layoutPanel="panel_row1_col1" autoRun="True">
        <param name="useHistory">auto</param>
        <param name="savedSearch">ERROR_SUMMARY</param>
        <module name="Export">
            <param name="exportType">results</param>
        </module>
        <module name="Pager">
            <param name="count">5</param>
            <module name="Table">
        <module name="Link" group="row.fields.TEST">
       <param name="label">$row.fields.TEST$</param>
        <module name="Redirector">
         <param name="url">flashtimeline</param>
         <param name="popup">True</param>
         <param name="arg.q">search index=$row.fields.orig_index$ $row.fields.TEST$</param>
         <param name="arg.earliest">$search.timeRange.earliest$</param>
            </module>
            </module> 
            </module> 
</module>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

Interesting! It's a bit of a long story, but alongside your <param name="popup">True</param> on the Redirector module (popup is a param for Redirector btw not Link), add this additional param.

<param name="target">_blank</param>

What's happening is that when Redirector and Link see eachother, they basically conspire that, instead of launching windows with JS when the link is clicked, they'll work together to rewrite the href and target attributes of the link tag itself. By so doing, you get all kinds of free features like right-clicks working, and ctrl-clicks working etc. However.... if only the popup param is set and NOT the target param, there is a bug where effectively the popup param gets ignored. Thank you for pointing this out and I'll get it fixed in the next release.

0 Karma

sideview
SplunkTrust
SplunkTrust

two other little FYI's
1) our SavedSearch module is designed to obsolete HiddenSavedSearch.

2) Likewise SearchControls can replace Export. SearchControls can be configured to present a subset of controls, or only a single export button like so:

export

It will present a little clickable export icon instead of an "Export" link.

0 Karma

subtrakt
Contributor

Thanks for the extra info. I am now using SearchControls (export) and SavedSearch modules.

Is independent panel refresh available in sideview? Where I can just set the panel to refresh instead of the full view?

0 Karma

sideview
SplunkTrust
SplunkTrust

There's an AutoRefresh module designed for that. Put it just upstream from everything you wish to refresh. that might be just one panel worth of config, or multiple panels, or the whole page. Check out it's page of documentation and examples within the Sideview Utils app itself. Navigate in the navbar to "Module Documentation > Advanced Modules > The AutoRefresh Module". that page will tell you about the different ways to configure it.

0 Karma

subtrakt
Contributor

Thanks again. Sideview is amazing!

0 Karma

sideview
SplunkTrust
SplunkTrust

Could you specify a little more, what you want the user-experience to be? the wording is a little ambiguous to me which makes it hard to answer effectively.
I see you're using Table-embedding to embed links into the "TEST" column. Are you asking how to have those links strip away the timerange argument (and become all-time searches) and how to at the same time have actual inline-drilldown config to other searches and tables/charts on the page, that will still has the 7d@d timerange when a user clicks on the whole row? I suspect that's not quite what you're asking but if you can specify what you need in that sort of "user needs X" style I can totally tell you how to get it done.

0 Karma

subtrakt
Contributor

Its a hassle sometimes for the user to have to take out earliest=-7d@d from the flashtimeline search if they don't want 7d@d.

This is what i'm trying to achieve but i don't think it will work under html module that already has href set up.

<module name="ConvertToDrilldownSearch">
                    <module name="Redirector">
                        <param name="url">flashtimeline</param>
                        <param name="popup">True</param>
                        <param name="arg.earliest">-7d@d</param>
                        <param name="arg.latest">$search.timeRange.latest$</param>
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...