Dashboards & Visualizations

Drilldown: How to pass values to the destination form or dashboard?

ashishlal82
Explorer

Below is the source query to pass sourcetype.tok value to the destination dashboard.

list_of_filenames_by_hostname?form.sourcetype_tok=$click.name2$

Above is a value from a table upon clicking on the left most column. The value of the cell is captured in sourcetype_tok, but not sure how to pass this to the destination field.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this as the drilldown element in your first dashboard.

 <drilldown>
       <link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
     </drilldown>

You use form.tokenname when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this as the drilldown element in your first dashboard.

 <drilldown>
       <link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
     </drilldown>

You use form.tokenname when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.

0 Karma

ashishlal82
Explorer

Got it!! thanks. I just overlooked

0 Karma

ashishlal82
Explorer

Question:
1) In the source query, I have used JOIN which is quite expensive? are there ways in Splunk where I can use a common field to join two source without using a JOIN statement without being expensive?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|append [|inputlookup asset_lookup] 
| stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search
|stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized
0 Karma

ashishlal82
Explorer

I tried it and it did not pull up the results.

stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search

Why do you have search at end ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The search keyword was there in your dashboard xml. If that was a type and only common field is bigfix_computer_id between your data and lookup, you can just do a simple lookup.

Try this now

index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256) | lookup asset_lookup bigfix_computer_id OUTPUT ....put list of fields that you need from lookup for better performance...  
 |stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide your full dashboard xml? What is the token name that you want to use in the destination dashboard/form which will hold the value?

0 Karma

ashishlal82
Explorer

Source Dashboard

List of Authorized/Unauthorized Softwares
This dashboard describes list of Authorized/Unauthorized Softwares by Computer Names

<panel>
  <table>
    <search>
      <query>index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|join  bigfix_computer_id search [|inputlookup asset_lookup] |stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized</query>
    </search>
    <drilldown>
      <link>list_of_filenames_by_hostname?form.computer_name=$row.Computer_Names$</link>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="count">10</option>
  </table>
</panel>

Destination Dashboard

List of FileNames by HostName

<panel>
  <table>
    <search>
      <query>| inputlookup asset_lookup|search computer_name="$computer_name$" </query>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </search>
  </table>
</panel>

Getting "Search is waiting for Input" not sure why?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...