Dashboards & Visualizations

Do this in Simple XML?

Builder

I am using Advanced XML and plan on doing so as long as I can but I am curious to know whether I can do the following in Simple XML. This is a small sample of stuff I do every day in Advanced XML.

Hide one or more columns in a table

Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns

Replace column values with icons based on value

Tags (2)

Revered Legend

For requirement 2, use the example dashboard "Table Icon Set" from the "Splunk 6.x Dashboard Example" app.

App link: https://splunkbase.splunk.com/app/1603/

0 Karma

Path Finder

"Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns"

I was just doing this yesterday and recalled your question.
You can use the drilldown option and then the link to specify the new dashboard URL. In this you can include the token value (mine was row.Account) and assign this to an input field (mine was called UserInput). I have left in the XML for setting the token for normal drilldown use two - I often have both options.

 <table>
    <search>
      <query>...</query>
    </search>
    <option name="drilldown">row</option>
    <drilldown field="*">
      <set token="Account">$row.Account$</set>
      <link target="_blank"><![CDATA[
        http://SplunkURL/en-US/app/myappName/my_dashboard?autoRun=True&form.UserInput=$row.Account$
      ]]></link>
    </drilldown>
  </table>
0 Karma

Path Finder

If I remember correctly, in simple xml you can have then in your table, but in the fields option for the table you can specify the fields. The data is still present, but not shown to the user.

For example, here I show the time, systemFrom and systemTo to the user, but on drilldown I grab the eventId value from that row and use this later on.

    <table>
        <search>
          <query><![CDATA[
index=myIndex  host=myHost 
...
          ]]></query>
        </search>
        <fields>_time, systemFrom, systemTo </fields>
        <option name="drilldown">row</option>
        <drilldown>
          <condition field="*">
            <set token="myEventId">$row.eventId$</set>
          </condition>
        </drilldown>
      </table>

Communicator

thank you @helenashton! this is great. I hesitated to try it at first thinking it wouldn't make sense after the | table line in my search, but it works exactly as expected!

in your search, you | table all the fields you need to keep and then copy only the field names you want to be visible into the |fields line.

0 Karma

Explorer

Thanks a lot! this works on tables. But this does not seem to work if I am using a column table? When I add the tag, it gives me an error warning that I cannot use "fields" node inside the column table. Any workaround?

0 Karma

Contributor

Thank you, those _time, systemFrom, systemTo and was exactly what i need.

0 Karma

Influencer

Thanks helenashton, never knew that, opens up another Splunk door 🙂

0 Karma

Communicator

You can use CSS to hide a column. I have done below (hides last column in the table of panel2):

div#panel2 .table tr>td:last-child {padding-right:20px; display:none !important;}
div#panel2 .table tr>th:last-child {padding-right:20px; display:none !important;}

Hope it helps.

0 Karma

Motivator

for Hide one or more columns in a table

you can use the " .........|fields - fieldName1" to hide one colunn in a table
or " .........|fields - fieldName1, fieldName2, fieldName3, ... fieldNamen " to hide more colunns in a table

exple you this search: "" |eventcount eventcount summarize=false index=* 0r index=_* "" but if i want to hide server colunn i add "|fields - server" command to end such

|eventcount eventcount summarize=false index=* 0r index=_* | fields - server you see in you result the server colunn is hide.

after your_search... for version 6.0 and 6.1 or your_search... for version6.2 in your xml you can Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns
and Replace column values with icons based on value

0 Karma

Builder

That doesn't hide them, it removes them. If I do a CSV export the "hidden" field does not get included. The results of this search do not meet my requirements.

index=portal sourcetype=portal WebPage!="*poller*" | table Date, user, WebPage, cs_uri_query | fields Date, user, WebPage
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!