Dashboards & Visualizations

Can I reference a dynamic fieldname in simple xml?

vbumgarner
Contributor

If I have a table, with columns a and _a, when the user clicks on a, I want to get the value of _a

The problem is that a is completely dynamic.

I can get the value of a using $click.name2$, which is fine, but I cannot figure out how to convince set or eval to reference the value of _a. For instance:

<set token="foo">$row._$click.name2$$</set>

or

<eval token="foo">row._$click.name2$</eval>

or

<eval token="foo">'row._$click.name2$'</eval>

Any ideas?

Here's a sample dashboard that illustrates. The goal is to set the token "right" where the column name is completely unknowable.

<dashboard>
  <label>trash me testing dynamic drilldown</label>
  <row>
    <panel>
      <html>
        y=$y$ &lt;br/&gt;
        x=$x$ &lt;br/&gt;
        left=$left$ &lt;br/&gt;
        right=$right$ &lt;br/&gt;
        </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>
            <![CDATA[
            | makeresults count=10
            | eval x=substr("x"+md5(tostring(random(),"commas")),0,10)
            | eval y=substr("y"+md5(tostring(random(),"commas")),0,10)
            | eval v="left"+y+":right"+y
            | chart last(v) by y x
            | filldown
            | foreach x* [rex field="<<FIELD>>" ".*?:(?<_<<FIELD>>>.*)"]
            | foreach x* [rex field="<<FIELD>>" "(?<<<FIELD>>>.*):.*"]
            ]]>
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="y">$row.y$</set>
          <set token="x">$click.name2$</set>
          <set token="left">$click.value2$</set>
          <set token="right">$row._$click.name2$$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

sdchakraborty
Contributor

Hi,
If I understand your requirement correctly you have column a as well as some other column lets say a_new (a new column which name have a in it) in your table. Like that you have multiple set of this column pairs. Your requirement is to click any cell in a and you want to get the corresponding value of a_new.

Here is my data setup, I have indexed the data in main index.

nutral_col    col1        col1_new     col2         col2_new      
nc_val1       col1_val1   _col1_val1   col2_val1    _col2_val1
nc_val2       col1_val2  _col1_val2    col2_val2    _col2_val2
nc_val3       col1_val3  _col1_val3    col2_val3    _col2_val3

Now here is my xml dashboard. The idea is when we click on any cell we will run a search to get the value of the other cell,

<form>
  <label>demo</label>
  <fieldset submitButton="false">
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Data Details</title>
        <search>
          <query>index="main" | table nutral_col,col1,col1_new,col2,col2_new,col3,col3_new | sort nutral_col</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="clicked_cell">$click.value2$</set>
          <set token="clicked_col">$click.name2$</set>
          <set token="clicked_nutral_cell">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval clicked_cell = "$clicked_cell$" | eval clicked_col = "$clicked_col$" | eval clicked_nutral_cell = "$clicked_nutral_cell$"| table clicked_nutral_cell,clicked_cell,clicked_col</query>
          <earliest>0</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>New_val</title>
        <search>
          <query>index="main" | eval clicked_col = $clicked_col$ | search $clicked_col$ = "$clicked_cell$"  | table $clicked_col$_new </query>
          <earliest>0</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please let me know whether this satisfies your requirement. The New_val table will give you desired result. This will work for any number of columns and also you can change the New_val table query according to your need.

0 Karma

DalJeanis
Legend

The answer is going to depend on what you mean by "completely unknowable". It's obviously possible, but you may have to pass the values through another search... which makes the drilldown rather indirect.

Let's start with clarifying the underlying theory -

First, you have a search that is producing a table. The table has the same data as key values in column Y as it does for column names in X. To simplify and illustrate this factor, we've reduced the number of characters in your random fields, because this fact was obscured by the complexity of your random data. We've also replaced the cell values with letters.

y            X_a87ff     X_c4ca4    X_c81e7    X_eccbc
Y_a87ff         A           B          C          D 
Y_c4ca4         E           F          G          H 
Y_c81e7         I           J          K          L 
Y_eccbc         M           N          O          P 

When the user clicks on a cell, for example the cell containing M, you want to pass the following data

y          Y_eccbc
x          X_a87ff
left       the contents of M
right      the contents of...something...probably whatever column was named in M...

I'm inferring from your language that the contents of M contains the name of another field. Let's say for sake of example that the value of M is c81e7, and therefore what you want to pass is the value stored in cell O.

If I've correctly analyzed your requirements, then here's how I'd approach your use case:

First, I would note that the result, while dynamic, is deterministic. Once the table is produced, clicking on a cell will only take you one place.

Second, I would note that the result of clicking any given cell can be determined in advance of clicking that cell.

Third, I would call your attention to the "untable" command, which can flatten a matrix into a form that is quite useful.

If you turn your table into a base search, and feed your table in post-processing to the following untable command...

 | untable y columnName columnValue

... then that post-processing command will produce a new table that looks, in part, like this

y         columnName columnValue
Y_eccbc   X_a87ff         M 
Y_eccbc   X_c4ca4         N 
Y_eccbc   X_c81e7         O 
Y_eccbc   X_eccbc         P 

From our assumptions above, we know our user has clicked in cell M, which contains the value c81e7. It is now possible to filter the above table on our Y and left value, to determine that right should receive whatever is in slot O.

In essence, the above table can be joined to itself where the left side keys are y and columnValue and the right side keys are 'y' and 'columnName', with a rename of the right side columnValue field to columnValue2, etc.

0 Karma

vbumgarner
Contributor

The ultimate goal is to get at a non-displayed piece of information and use it for a drilldown. The issue is that the column names are dynamic, so you can't simply reference $row.x$.

What I ended up doing is running another query based on the visible value and populating an HTML block with other information, including a link, which the user can then follow.

What's missing currently in the token syntax is something like this:
$tokens[$other_token_name$]$

Or even the ability to get at the value of a cell before fieldformat is applied.

0 Karma

niketn
Legend

@vbumgarner although a is completely dynamic, can you add some sample data for a and _a for us to assist you better?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vbumgarner
Contributor

I added a sample dashboard to illustrate the problem.

0 Karma

niketn
Legend

@vbumgarner, row._$click.name2$ does not seem to be a valid drilldown token for table. Could you explain from where you have picked up the token (any documentation link)? Also which value do you intend to capture from the token?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rvany
Communicator

You said The goal is to set the token "right" where the column name is completely unknowable.

In your final dashboard the fieldnames are created the same way as in your sample data, i.e. through eval expressions? (or is this just to create random sample data?)

0 Karma

renjith_nair
Legend

Is it possible to display _a as the first column in the table? If yes , then you could just pick up $click.value$ which is the leftmost field (column) value in the clicked table row.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...