Below is the source query to pass sourcetype.tok value to the destination dashboard.
list_of_filenames_by_hostname?form.sourcetype_tok=$click.name2$
Above is a value from a table upon clicking on the left most column. The value of the cell is captured in sourcetype_tok, but not sure how to pass this to the destination field.
Try this as the drilldown element in your first dashboard.
<drilldown>
<link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
</drilldown>
You use form.tokenname
when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.
Try this as the drilldown element in your first dashboard.
<drilldown>
<link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
</drilldown>
You use form.tokenname
when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.
Got it!! thanks. I just overlooked
Question:
1) In the source query, I have used JOIN which is quite expensive? are there ways in Splunk where I can use a common field to join two source without using a JOIN statement without being expensive?
Give this a try
index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|append [|inputlookup asset_lookup]
| stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search
|stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count over Computer_Names by Authorized/Unauthorized
I tried it and it did not pull up the results.
stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search
Why do you have search
at end ?
The search keyword was there in your dashboard xml. If that was a type and only common field is bigfix_computer_id between your data and lookup, you can just do a simple lookup.
Try this now
index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256) | lookup asset_lookup bigfix_computer_id OUTPUT ....put list of fields that you need from lookup for better performance...
|stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count over Computer_Names by Authorized/Unauthorized
Can you provide your full dashboard xml? What is the token name that you want to use in the destination dashboard/form which will hold the value?
Source Dashboard
List of Authorized/Unauthorized Softwares
This dashboard describes list of Authorized/Unauthorized Softwares by Computer Names
<panel>
<table>
<search>
<query>index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|join bigfix_computer_id search [|inputlookup asset_lookup] |stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count over Computer_Names by Authorized/Unauthorized</query>
</search>
<drilldown>
<link>list_of_filenames_by_hostname?form.computer_name=$row.Computer_Names$</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</table>
</panel>
Destination Dashboard
List of FileNames by HostName
<panel>
<table>
<search>
<query>| inputlookup asset_lookup|search computer_name="$computer_name$" </query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</table>
</panel>
Getting "Search is waiting for Input" not sure why?