Dashboards & Visualizations

Help with drilldown and tokens on a dashboard

tmarlette
Motivator

I have a dashboard, with a series of different panels on it. Some for user specific information, process info, hardware, etc..

The top of my dashboard looks like This:

alt text

This, is an example of a table that I have. This data is coming from the stadnard Splunk_TA_nix 'top.sh' script:

alt text

what i'm trying to do is have the inputs load each token 1 at a time upon clicking. So let's say I click on the nessusd process. That process will load in the input above, leaving the other two blank. (This part I have).

Next, if I click on a host (mind these are all different hosts, I simply anonymized the data) the both the host AND the old process value would be passed. Then if I were to click a user the user value, AND the old process value, AND the old host value would be passed.

The part i'm having trouble with is retaining the old $click.value2$ values in the second and third clicks.

Here's the current simple XML i'm using:

<panel>
      <table>
        <title>(CPU) Services by User (top)</title>
        <search>
          <query>index=nix sourcetype=top host=$host$ COMMAND=$process$ USER="$user$"
| stats avg(pctCPU) as CPU avg(pctMEM) as MEM by USER process_name host
| eval CPU=round(CPU,2) 
| eval MEM=round(MEM,2) 
| sort - CPU
| head 10
| eval CPU=(CPU.""."%")
| eval MEM=(MEM.""."%")
| eval host="myHost"</query>
          <earliest>$hist.earliest$</earliest>
          <latest>$hist.latest$</latest>
        </search>
        <drilldown target="NewWindow">
          <condition field="host">
            <link>/app/myApp/test/?form.host=$click.value2$</link>
          </condition>
          <condition field="process_name">
            <link>/app/myApp/test/?form.process=$click.value2$</link>
          </condition>
          <condition field="USER">
            <link>/app/myApp/test/?form.user=$click.value2$</link>
          </condition>
        </drilldown>
      </table>
    </panel>

This makes the first click load every time, but the second click always loses the previous field value.

0 Karma

niketn
Legend

@tmarlette, You would need to set the token on each table column click and then use the token in your drilldown click. You would need to initialize all the tokens with default values to be used for the first time. I have used <init> section available from Splunk Enterprise 6.5 onward for the same.

Please find below the run anywhere example using Splunk _internal index:

<dashboard>
  <label>Table row save previous click as token</label>
  <init>
    <set token="tokHost">form.host=*</set>
    <set token="tokSource">form.source=*</set>
    <set token="tokComponent">form.component=*</set>
  </init>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by host, source, component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="host">
            <set token="tokHost">form.host=$row.host$</set>
            <link target="_blank">/app/myApp/test/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>
          </condition>
          <condition field="source">
            <set token="tokSource">form.source=$row.source$</set>
            <link target="_blank">/app/myApp/test/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>
          </condition>
          <condition field="component">
            <set token="tokComponent">form.component=$row.component$</set>
            <link target="_blank">/app/myApp/test/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>            
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

PS: Token values have been escaped using |n in this example so that equal to sign (=) does not get escaped as %3D. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters.
If you want to open the target link in a new window please use the option link target="_blank" as in the following example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tmarlette
Motivator

I tried this, and it seems to load the * in all of the fields anyway, however... when I change any of the tokens at the top (under ) they value changes in the next screen. Mind you, the linked dashboard, is this dashboard, just with the added fields in the form inputs. essentially it's a loop, and we're just adding the fields we want to filter by.

So basically, the behavior is still the same.

This is the code I copied from your answers:

<form>
  <label>Table row save previous click as token</label>
  <init>
    <set token="tokHost">form.host=*</set>
    <set token="tokSource">form.source=*</set>
    <set token="tokComponent">form.component=*</set>
  </init>
  <fieldset submitButton="false">
    <input type="text" token="host">
      <label>host</label>
      <default>*</default>
    </input>
    <input type="text" token="source">
      <label>source</label>
      <default>*</default>
    </input>
    <input type="text" token="component">
      <label>component</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" host=$host$ source=$source$ component=$component$
 | stats count by host, source, component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown target="blank">
          <condition field="host">
            <set token="tokHost">form.host=$row.host$</set>
            <link target="_blank">/app/myApp/test2/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>
          </condition>
          <condition field="source">
            <set token="tokSource">form.source=$row.source$</set>
            <link target="_blank">/app/myApp/test2/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>
          </condition>
          <condition field="component">
            <set token="tokComponent">form.component=$row.component$</set>
            <link target="_blank">/app/myApp/test2/?$tokHost|n$&amp;$tokSource|n$&amp;$tokComponent|n$</link>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma

niketn
Legend

@tmarlette, "...load the * in all of the fields..." is the intent of the code. Through <init> section all values are defaulted to * which should change one by one as you select respective values.

Can you please clarify "...the linked dashboard, is this dashboard,..."? Does this mean your source and destination dashboards are actually the same? If it is so then the approach should be completely different and might not be too complicated.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tmarlette
Motivator

yes, that is correct. The source and destination dashboards are the same dashboards, and the only thing to change would be the values in the inputs section.

0 Karma

sbbadri
Motivator

try this.

     <drilldown target="NewWindow">
       <condition field="host">
         <link>/app/myApp/test/?form.host=$row.host$</link>
       </condition>
       <condition field="process_name">
         <link>/app/myApp/test/?form.process=$row.process_name$</link>
       </condition>
       <condition field="USER">
         <link>/app/myApp/test/?form.user=$row.USER$</link>
       </condition>
     </drilldown>

for more details. Please check below link,

https://docs.splunk.com/Documentation/Splunk/6.5.3/Viz/Dynamicdrilldownindashboardsandforms

0 Karma

tmarlette
Motivator

I tried this, but it loads the same as the previous way. It loads only a single field with each click, but each time it sets the remaining two fields back to *.

0 Karma

sbbadri
Motivator

try this,

<drilldown target="blank">
<condition field="host">
<link>/app/myApp/test/?form.host=$row.host$&form.process_name$</link>
</condition>
<condition field="USER">
<link>/app/myApp/test/?form.user=$row.USER$&form.host=$row.host$&form.process_name$</link>
</condition>
<condition field="process_name">
<link>/app/myApp/test/?form.process=$row.process_name$</link>
</condition>

</drilldown>

below is the example from previous post link,

<drilldown>
<link>
<![CDATA[
/app/search/form_for_drilldown?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
]]>
</link>
</drilldown>

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...