Dear All
i came around a lot and did not find a solution on the following:
How to have a dashboard drill-down conditionally to two (2) destination forms, depending not on field/series clicked,
but on a simple form drop-down input (token), present in form and named db_name.
Not the common syntax:
<drilldown>
<condition field="A">
<link> ................</link>
</condition>
</drilldown>
But something like:
<drilldown>
<condition $db_name$ = NULL>
<link> .......form_01.........</link>
</condition>
<condition $db_name$ <> NULL>
<link> .......form_02.........</link>
</condition>
</drilldown>
So it is supposed to call two different drilldown target forms, depending on if the input db_name is set or empty (* default)
I hope what I am looking for is possible, as in the many docs and answers I browsed saw only field/series for such.
Any help will be deeply appreciated.
thank you very much
Altin
PS. I think there is an alternative. Making two identical dashboards, only one shows at a time, depending on the db_name inputted or empty. Each one drills unconditionally to its target. But it would not be practical for more then a few forms, I wish I could see this through in a better way.
Yes, this is easily done in Splunk 6.3 or newer.
<drilldown>
<condition match="isnull('db_name')">
<link>
<![CDATA[...]]>
</link>
</condition>
<condition match="isnotnull('db_name')">
<link>
<![CDATA[...]]>
</link>
</condition>
</drilldown>
Yes, this is easily done in Splunk 6.3 or newer.
<drilldown>
<condition match="isnull('db_name')">
<link>
<![CDATA[...]]>
</link>
</condition>
<condition match="isnotnull('db_name')">
<link>
<![CDATA[...]]>
</link>
</condition>
</drilldown>
thank you very much again
I will test and let you know ASAP.
One question(confirmation) before:
The second condition does not have a "match" (alias condition), because is the last on list ?
and if the first fires - it logically does not count ?
best regards
Altin
The second condition fires if the first one doesn't. Also, please respond in the comments of the answer (I moved your first response and now I am moving this one). Don't post your response as an answer.
thank you very much for the quick answer Rjthibod
meanwhile it took me some time to try, but I couldn't make it work.
I have an empty new tab (about:blank) in both case database drop-down is selected or * by default value.
I am inserting below the Database drop-down code:
<input type="dropdown" token="field_db_name">
<label>Database</label>
<prefix>"</prefix>
<suffix>"</suffix>
<default>*</default>
<fieldForLabel>DB_NAME</fieldForLabel>
<fieldForValue>DB_NAME</fieldForValue>
<search>
<query>`mc_vln` | DEDUP DB_NAME | FIELDS DB_NAME</query>
<earliest>0</earliest>
<latest></latest>
</search>
<change>
<set token="db_name_no_quotes">$value$</set>
<unset token="form.field_scan_run_id"></unset>
</change>
</input>
And also my dashboard - as I did apply the match function solution:
<panel>
<title>Health by Severity</title>
<chart>
<search>
<query>`mc_vln`
| search DB_NAME=$field_db_name$
| stats
earliest(_time) as SCAN_DT_START
count(eval(SEVERITY_ID=1 AND CTRL_FIND_ID=0)) as High_Correct,
count(eval(SEVERITY_ID=1 AND CTRL_FIND_ID=1)) as High_Finding,
count(eval(SEVERITY_ID=2 AND CTRL_FIND_ID=0)) as Medium_Correct,
count(eval(SEVERITY_ID=2 AND CTRL_FIND_ID=1)) as Medium_Finding,
count(eval(SEVERITY_ID=3 AND CTRL_FIND_ID=0)) as Low_Correct,
count(eval(SEVERITY_ID=3 AND CTRL_FIND_ID=1)) as Low_Finding
by SCAN_ID
| eval HRT_High = round(100 * High_Correct / (High_Correct+High_Finding), 2)
| eval HRT_Medium = round(100 * Medium_Correct / (Medium_Correct+Medium_Finding), 2)
| eval HRT_Low = round(100 * Low_Correct / (Low_Correct+Low_Finding), 2)
| table SCAN_DT_START SCAN_ID HRT_High HRT_Medium HRT_Low
| sort SCAN_DT_START
| fields - SCAN_DT_START
| rename SCAN_ID as "Scan Id" HRT_High as High HRT_Medium as Medium HRT_Low as Low</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.legend.labels">["High","Medium","Low"]</option>
<option name="charting.legend.placement">right</option>
<option name="charting.seriesColors">[0xFA4343,0xFFA042,0x00579F]</option>
<option name="charting.legend.masterLegend"></option>
<drilldown target="blank">
<condition match="isnull('field_db_name')">
<link>scan_data?form.field_db_name=$db_name_no_quotes$&form.field_scan_id=$row.Scan Id$&form.field_severity_name=$click.name2$</link>
</condition>
<condition match="isnotnull('field_db_name')">
<link>
<link>scan_compare_02?form.field_db_name=$db_name_no_quotes$&form.field_scan_run_id=$row.Scan Id$</link>
</link>
</condition>
</drilldown>
</chart>
</panel>
If I renounce conditioning - ie. use only drill-down to scan_data form whenever the database is selected or not - everything is OK. I do reach the scan_data form with correct variables in the URL.
Clarification
the db_name_no_quotes token is used and set inside the field_db_name declaration to have it without quotes in the drill URL
May be I have missed something from your idea during my setup ?
thank you very much
best regards
Altin
I am sorry, but I misunderstood what you needed based on your original post. Try this instead.
<drilldown target="blank">
<condition match=""'field_db_name'" == "*"">
<link>
<![CDATA[
scan_data?form.field_db_name=*&form.field_scan_id=$row.Scan Id$&form.field_severity_name=$click.name2$
]]>
</link>
</condition>
<condition>
<link>
<![CDATA[
scan_compare_02?form.field_db_name=$db_name_no_quotes$&form.field_scan_run_id=$row.Scan Id$
]]>
</link>
</condition>
</drilldown>
I tested,
but it always gets to the second condition whenever input field_db_name is set or no.
can you help?
thanks and regards
Altin
Sorry, missed something. Try this.
<drilldown target="blank">
<condition match="'field_db_name' == "*"">
<link>
<![CDATA[
scan_data?form.field_db_name=*&form.field_scan_id=$row.Scan Id$&form.field_severity_name=$click.name2$
]]>
</link>
</condition>
<condition>
<link>
<![CDATA[
scan_compare_02?form.field_db_name=$db_name_no_quotes$&form.field_scan_run_id=$row.Scan Id$
]]>
</link>
</condition>
</drilldown>
sorry, but it still goes only to the second choice scan_compare_02.
I can paste the whole code if you need. or at least until this dashboard.
thank you very much
Altin
I did fixed it by replacing the field_db_name input with the un-quoted one:
<condition match="'db_name_no_quotes' == "*"">
this made the switching of forms!
I would be curious to see how this would work with the original input token - field_db_name
thank you very much for your help,
best regards
Altin