Solved: How do you manipulate a token before passing it to...

splunkrocks2014 · ‎09-10-2018

How do you manipulate a token before passing it to a drilldown?

For example, the following dashboard has a a statistic table with a field, country with value "United States of America (USA)", and I just want to pass "USA" to the drilldown. But the token ("country") is not changed to "USA" from the eval function when passed to the deep link. Any clues? Thanks.

<dashboard>
  <label>testing</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval Country="United States of America (USA)"
| table Country</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <eval token="country">replace(replace(mvindex(split($click.value$," "),-1,-1),"\(",""),"\)","")</eval>
          <link target="_blank">
            <![CDATA[https://en.wikipedia.org/wiki/$country$]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

renjith_nair · ‎09-10-2018

@splunkrocks2014 ,

It's possible to change but why don't you extract in the search itself? For e.g.

<dashboard>
  <label>testing</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval Country="United States of America (USA)"
| rex field="Country" "\((?<_C>.*)\)"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">
            <![CDATA[https://en.wikipedia.org/wiki/$row._C$]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Happy Splunking!

View solution in original post

renjith_nair · ‎09-10-2018

@splunkrocks2014 ,

It's possible to change but why don't you extract in the search itself? For e.g.

<dashboard>
  <label>testing</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval Country="United States of America (USA)"
| rex field="Country" "\((?<_C>.*)\)"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">
            <![CDATA[https://en.wikipedia.org/wiki/$row._C$]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Happy Splunking!

splunkrocks2014 · ‎09-11-2018

Never thought about this way 🙂 ... thanks.

How do you manipulate a token before passing it to a drilldown?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7