Dashboards & Visualizations

AdvancedXML and views and Intentions

matt_arguin
Explorer

I have been trying to figure this out. I am using the dbx module to do a sql lookup that creates a table, this part works...then, when you click on an entry in that table, another sql is executed using the value you clicked ($click.value$) as part of the next sql. I have been looking at various UI examples, then found that the DBinfo view of dbx itself is seemingly pretty close..so i started over, using that as the starting point and started replacing things to get what i need. back to having the initial sql work, but when i try to click on a result, the second sql is adding "search " before the | mysqlquery which does not work. tried removing and moving things...still cannot get this do do what i want. any help would be greatly appreciated.

here is my current XML:


    
  
  
  
  
    *
    False
    1
  
  
    dashboard
  
  
  
    
      This is the exact same config, except we render into an interactive table instead of an interactive chart. Since the search in the table has no 'split-by' data, we configure the table with the 'row' highlighting rather than full on 'cell' highlighting, so as to not to confuse our users. Please Click on a Broker Name to get the supported country list.
    
  
  
    | mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.broker_id=b.id where bcc.supported=true and bcc.visible=true;"
    -1h
    
      bar
     
     
      none
      
      
      
      
        row
        results

        
        
          results
          Supported Countries for $click.value$
        
                
        
        
          | mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.`broker_id`=b.id where b.name = $click.value$ and bcc.`supported`=true and bcc.`visible`=true;"
           
          -1h
          
          
            
              addterm
                
              
               $click.value$
              
              
              indexed
            

            
            
            
              line
              none
              none
              none
              
                100%
                160px
              
            
          
        
      
    
  

yeah, i did remove that at one point and it did put it at the end, but what i am tring to get it to do it to populate the $click.value$ in the second mysql query rather than add a pipe and the value at the end. basically i want my second search as it is sent to splunk to look like this (assuming that i have clicked on the word "HELP":

| mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.broker_id=b.id where b.name = HELP and bcc.supported=true and bcc.visible=true;

when i do what you suggest i get something similar to this:

None | mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.broker_id=b.id where b.name = $click.value$ and bcc.supported=true and bcc.visible=true; | series="HELP"

on that.. 2 things:

  1. does that "None" that is prepended get ignored?
  2. how can i get that HELP replacement in to my sql query?

sideview
SplunkTrust
SplunkTrust

remove the

<param name="flags"><list>indexed</list></param>

flag from the intention. This is telling Splunk that you want the added terms to apply to the first search clause. If you take that out the default behavior is more conservative and the added term will go on the end after the mysqlquery command.

UPDATE:

Ah. Well then if you want to keep using intentions you would have to get comfortable with the "stringreplace" intention, which is easier said than done. The Splunk Dashboard Examples app does has some examples of how to use stringreplace intentions.

However my advice is to switch at this point and start using the Sideview Utils app to simplify your views and speed up your dashboard development. There are tons of advantages to this switch and I think you're officially past the tipping point here.

If you install the Sideview Utils app on your system, here is a rewritten copy of your view, and you'll never have to think about intentions again.

<view template="dashboard.html">
  <label>Broker Supported Countries Lookup</label>
  <module name="AccountBar" layoutpanel="appHeader"/>
  <module name="AppBar" layoutpanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Message" layoutpanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

  <module name="TitleBar" layoutpanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="Search" layoutpanel="panel_row1_col1" autorun="True">
    <param name="search">| mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.broker_id=b.id where bcc.supported=true and bcc.visible=true;"</param>
    <param name="earliest">-1h</param>

    <module name="HiddenChartFormatter">
      <param name="chart">bar</param>
      <param name="legend.placement">none</param>

      <module name="JobProgressIndicator"/>

      <module name="SimpleResultsTable">
        <param name="drilldown">row</param>
        <param name="entityName">results</param>

        <module name="SimpleResultsHeader">
          <param name="entityName">results</param>
          <param name="headerFormat">Supported Countries for $click.value$</param>
        </module>

        <module name="Search">
          <param name="search">| mysqlquery spec="forexpert" query="select distinct(b.name) from Broker b join BrokerCountryCode bcc on bcc.`broker_id`=b.id where b.name=$click.value$ and bcc.`supported`=true and bcc.`visible`=true;"</param>
          <param name="earliest">-1h</param>

          <module name="JobProgressIndicator"></module>

          <module name="HiddenChartFormatter">
            <param name="chart">line</param>
            <param name="primaryAxisTitle.text">none</param>
            <param name="secondaryAxisTitle.text">none</param>
            <param name="legend.placement">none</param>

            <module name="FlashChart">
              <param name="width">100%</param>
              <param name="height">160px</param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

The most recent version of Sideview Utils is 2.6.2 and you can get it from the Sideview site at http://sideviewapps.com/apps/sideview-utils, and it is free for internal use. Note that if you get the LGPL version from Splunkbase that will be a very old version - 1.3.5. It'll still work but you'll be missing hundreds of bugfixes, plus features performance improvements not to mention much better documentation and examples.

0 Karma

matt_arguin
Explorer

added more to the bottom of the question above re: your answer. pls see above.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...