Dashboards & Visualizations

Applying fieldformat and using the original field value in drilldown

piukr
Explorer

I have a dashboard with several multi-value fields containing IP details. I applied the following fieldformat command to truncate the result of such fields for the dashboard view.

| fieldformat iplist=mvjoin(mvindex(iplist, 0, 9), ", ").if(mvcount(iplist)>10, " (".(mvcount(iplist)-10)." IPs truncated...)","")

The goal is to create a field similar to the output below:

10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6, 10.10.10.7, 10.10.10.8, 10.10.10.9, 10.10.10.10 (3 IPs truncated...)

The fields are displayed in a dashboard table view according to the formatting, however when I try to drill down on these fields, the drilldown will carry over the formatted value, not the original multi-value content.

I have included a test dashboard to demonstrate the behaviour.

How can I modify the fieldformat command to truncate the field but also enable the dashboard to use the original field value in drilldowns?

Thanks

<form>
  <label>Fieldformat Test</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="tokIPList" searchWhenChanged="true">
      <label>IP List</label>
      <default>10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 10.10.10.5 10.10.10.6 10.10.10.7 10.10.10.8 10.10.10.9 10.10.10.10 10.10.10.11 10.10.10.12 10.10.10.13</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>IP List input text displayed as multi value field</title>
      <table>
        <search>
          <query>| makeresults 
| fields - _time
| eval iplist=$tokIPList|s$
| eval iplist=split(iplist, " ")
| table iplist
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="tokDrilldown">$row.iplist$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>IP List input text displayed with fieldformat applied</title>
      <table>
        <search>
          <query> <![CDATA[
| makeresults 
| fields - _time
| eval iplist=$tokIPList|s$
| eval iplist=split(iplist, " ")
| table iplist
| fieldformat iplist=mvjoin(mvindex(iplist, 0, 9), ", ").if(mvcount(iplist)>10, " (".(mvcount(iplist)-10)." IPs truncated...)","")
          ]]>
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="tokDrilldown">$row.iplist$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Drilldown test</title>
      <table>
        <search>
          <query>| makeresults 
| fields - _time
| eval formatted_iplist=$tokDrilldown|s$
| table formatted_iplist
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

It looks like the values available to the drilldown are those which are "displayed". You could add an additional column with the unformatted ip addresses, then use CSS to hide (display: none) the untruncated column

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It looks like the values available to the drilldown are those which are "displayed". You could add an additional column with the unformatted ip addresses, then use CSS to hide (display: none) the untruncated column

0 Karma

piukr
Explorer

Thank you! It's not an ideal solution to include hidden fields, as those will show up once the users open the query in an external search, but I understand that there are no good options at the moment.

BR

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...