I am using Advanced XML and plan on doing so as long as I can but I am curious to know whether I can do the following in Simple XML. This is a small sample of stuff I do every day in Advanced XML.
Hide one or more columns in a table
Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns
Replace column values with icons based on value
For requirement 2, use the example dashboard "Table Icon Set" from the "Splunk 6.x Dashboard Example" app.
App link: https://splunkbase.splunk.com/app/1603/
"Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns"
I was just doing this yesterday and recalled your question.
You can use the drilldown option and then the link to specify the new dashboard URL. In this you can include the token value (mine was row.Account) and assign this to an input field (mine was called UserInput). I have left in the XML for setting the token for normal drilldown use two - I often have both options.
<table>
<search>
<query>...</query>
</search>
<option name="drilldown">row</option>
<drilldown field="*">
<set token="Account">$row.Account$</set>
<link target="_blank"><![CDATA[
http://SplunkURL/en-US/app/myappName/my_dashboard?autoRun=True&form.UserInput=$row.Account$
]]></link>
</drilldown>
</table>
If I remember correctly, in simple xml you can have then in your table, but in the fields option for the table you can specify the fields. The data is still present, but not shown to the user.
For example, here I show the time, systemFrom and systemTo to the user, but on drilldown I grab the eventId value from that row and use this later on.
<table>
<search>
<query><![CDATA[
index=myIndex host=myHost
...
]]></query>
</search>
<fields>_time, systemFrom, systemTo </fields>
<option name="drilldown">row</option>
<drilldown>
<condition field="*">
<set token="myEventId">$row.eventId$</set>
</condition>
</drilldown>
</table>
thank you @helenashton! this is great. I hesitated to try it at first thinking it wouldn't make sense after the | table line in my search, but it works exactly as expected!
in your search, you | table
all the fields you need to keep and then copy only the field names you want to be visible into the |fields
line.
Thanks a lot! this works on tables. But this does not seem to work if I am using a column table? When I add the tag, it gives me an error warning that I cannot use "fields" node inside the column table. Any workaround?
Thank you, those _time, systemFrom, systemTo and was exactly what i need.
Thanks helenashton, never knew that, opens up another Splunk door 🙂
You can use CSS to hide a column. I have done below (hides last column in the table of panel2):
div#panel2 .table tr>td:last-child {padding-right:20px; display:none !important;}
div#panel2 .table tr>th:last-child {padding-right:20px; display:none !important;}
Hope it helps.
for Hide one or more columns in a table
you can use the " .........|fields - fieldName1" to hide one colunn in a table
or " .........|fields - fieldName1, fieldName2, fieldName3, ... fieldNamen " to hide more colunns in a table
exple you this search: "" |eventcount eventcount summarize=false index=* 0r index=_* "" but if i want to hide server colunn i add "|fields - server" command to end such
|eventcount eventcount summarize=false index=* 0r index=_* | fields - server you see in you result the server colunn is hide.
after your_search... for version 6.0 and 6.1 or your_search... for version6.2 in your xml you can Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns
and Replace column values with icons based on value
That doesn't hide them, it removes them. If I do a CSV export the "hidden" field does not get included. The results of this search do not meet my requirements.
index=portal sourcetype=portal WebPage!="*poller*" | table Date, user, WebPage, cs_uri_query | fields Date, user, WebPage