Solved: Re: How filter all panels by clicking on a cell ?

mah · ‎04-16-2021

Hi,

I have a dashboard like that :

All panels are based on a basesearch begins like that :

index=test sourcetype=st_test $text$

The token "text" is associated to the text input (it is what I want to improve). Here is the basic input :

<input type="text" token="text" searchWhenChanged="true">
<label>Raw Document Text Search</label>
<default>*</default>
</input>

The wish is I want to be able to click on any cell of the panel containing a table and that the whole dashboard is filtered according to this value.

Today I have to copy a Id value (for example, it could be values of other columns) and paste it in the text box input. I want to mechanize this process.

Do you think it is possible ? If yes how can I do that ?

Thanks for your help !

gcusello · ‎04-16-2021

Hi @mah.,

it's strange, this solution runs on my Splunk also using base search:

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>$form.text2$</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
        <search id="base">
          <query>
            index=_internal $text1$ $text2$
            | head 1000
            | fields sourcetype source user component
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
            | table sourcetype source user component
          </query>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

The only difference I seee with mine is refresh in base search; I cannot test it, could you try to delete refresh to understand if this is the problem?

Ciao.

Giuseppe

View solution in original post

anilchaithu · ‎04-16-2021

@mah

Does the table panel is also built on this base search?

Its possible to pass the value from the table panel to the base search. you should create tokens based on requirements. In your case, you can use $click.value2$ to pick the value from table.

To manage tokens, Edit Dashboard -> More Actions (3 vertical dots on the top right of the panel) -> Edit Drilldown -> select 'Manage tokens on this dashboard' from dropdown

-- Hope this helps

mah · ‎04-16-2021

Hi @anilchaithu

Yes the panel in built on a base search (you can see the code in my reply to to @gcusello).

I tried the token but no success because the base search is waiting for a value that I have not selected yet. (see the picture in my other reply).

anilchaithu · ‎04-16-2021

you should have an initial value like a wild card (*) for this form input

gcusello · ‎04-16-2021

Hi @mah,

see if this example could be useful for you:

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>form.text2</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
            index=_internal $text1$ $text2$
            | head 1000
            | table sourcetype source user component
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Ciao.

Giuseppe

mah · ‎04-16-2021

Hi @gcusello,

I tried your settings but all searches send "no result found" :

here is the source code :

<form theme="light">
<label>Clone</label>
<search id="baseSearch">
<!-- The base search-->
<query>index=test sourcetype=test_st $text1$ $text2$</query>
<earliest>$global-time-picker.earliest$</earliest>
<latest>$global-time-picker.latest$</latest>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="global-time-picker" searchWhenChanged="true">
<label>Global Time Picker</label>
<default>
<earliest>-30m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="text1" searchWhenChanged="true">
<label>Raw Document Text Search</label>
<default>*</default>
</input>
<input type="text" token="text2">
<label>Text2</label>
<default>form.text2</default>
</input>
</fieldset>
<row>
<panel id="table">
<title>log</title>
<table>
<search base="baseSearch">
<query>| stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as Count by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query>
</search>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="form.text2">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>

and when I open the search I got this :

index=test sourcetype=test_st * form.text2 | stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as Count by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt

What I did wrong ?

gcusello · ‎04-16-2021

Hi @mah,

sorry, my error,

in the second input please try:

    <input type="text" token="text2">
      <label>Text2</label>
      <default>$form.text2$</default>
      <initialValue>*</initialValue>
    </input>

Ciao.

Giuseppe

mah · ‎04-16-2021

Hi @gcusello

Still same error : here is my code :

<form>
  <label>Clone</label>
  <search id="baseSearch">
    <!-- The base search-->
    <query>index=test sourcetype=test_st $text1$ $text2$</query>
    <earliest>$global-time-picker.earliest$</earliest>
    <latest>$global-time-picker.latest$</latest>
    <refresh>5m</refresh>
    <refreshType>delay</refreshType>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="global-time-picker" searchWhenChanged="true">
      <label>Global Time Picker</label>
      <default>
        <earliest>-30m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>$form.text2$</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
<row>
<panel id="table">
      <title>log</title>
      <table>
        <search base="baseSearch">
          <query>| stats  first(env) as env earliest(_time) as startsAt first(TxName) as TxName  count(Id) as logCount by Id |  eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
</row>
</form>

gcusello · ‎04-16-2021

Hi @mah.,

it's strange, this solution runs on my Splunk also using base search:

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>$form.text2$</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
        <search id="base">
          <query>
            index=_internal $text1$ $text2$
            | head 1000
            | fields sourcetype source user component
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
            | table sourcetype source user component
          </query>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

The only difference I seee with mine is refresh in base search; I cannot test it, could you try to delete refresh to understand if this is the problem?

Ciao.

Giuseppe

mah · ‎04-16-2021

I tried to remove the refresh setting but nothing change :

<form>
  <label>Clone</label>
  <search id="baseSearch">
    <!-- The base search-->
    <query>index=test sourcetype=test_st $text1$ $text2$</query>
    <earliest>$global-time-picker.earliest$</earliest>
    <latest>$global-time-picker.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="global-time-picker" searchWhenChanged="true">
      <label>Global Time Picker</label>
      <default>
        <earliest>-30m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>$form.text2$</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
<row>
<panel id="table">
      <title>log</title>
      <table>
        <search base="baseSearch">
          <query>| stats  first(env) as env earliest(_time) as startsAt first(TxName) as TxName  count(Id) as logCount by Id |  eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
</row>
</form>

I remove it also from your code example and it works (actually it works since the beginning)

More strange, I get result with the query :

index=_internal * form.text2

But nothing with my query :

index=test sourcetype=test_st * form.text2

I really don't understand.

gcusello · ‎04-16-2021

Hi @mah,

please, try to using this as base search:

index=test sourcetype=test_st $text1$ $text2$
| fields env _time TxName Id

Ciao.

Giuseppe

mah · ‎04-16-2021

I tried this :

index=test sourcetype=test_st $text1$ $text2$
| fields env _time TxName Id

and this :

index=test sourcetype=test_st $text1$ $text2$
| fields *

no one work...

gcusello · ‎04-16-2021

Hi @mah,

try not using base search because I think that the problem could be there, if it will run, you can search the problem in base search.

You could also see if your dashboard runs without the second text box, my idea is that it shouldn't run.

Ciao.

Giuseppe

mah · ‎04-16-2021

@gcusello

I had the same idea : trying without the base search. I copy/paste your code and only change the query :

<form>
  <label>clone</label>
  <fieldset submitButton="false">
    <input type="text" token="text1">
      <label>Text 1</label>
      <default>*</default>
    </input>
    <input type="text" token="text2">
      <label>Text2</label>
      <default>form.text2</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
            index=test sourcetype=test_st $text1$ $text2$
            | stats  first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id |  eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.text2">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

It did not work as well.

When I open the query, I have this query :

index=test sourcetype=test_st * form.text2
| stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt

=> 0 event

When I remove "form.text2" from the query, results appear.

I tried with another index like :

index=main * form.text2 and no result again

gcusello · ‎04-16-2021

Hi @mah,

the initial value for text2 is missing.

Please try again.

Giuseppe

mah · ‎04-16-2021

Yes sorry I added it and nothing change.

What I found out is it seems to work only with _internal index, I tried with another index like :

index=main * form.text2 and no result again.

And it works with _internal index because the string "form.text2" appears in _internal logs due to my multiple searches !

Try to your side with another index you will see and tell me if you have same issue please.

gcusello · ‎04-16-2021

Hi @mah,

using wineventlog is running in my Splunk.

Ciao.

Giuseppe

mah · ‎04-16-2021

OK @gcusello

I understand what happened : when I save the code, the text "form.text2" appears in the input field :

I removed the text and pressed enter and now the input text2 is cleared and results appeared.

The drilldown works perfectly.

In my final dashboard, I removed the input text1, to see how it's behave, and one input do the job.

Thanks for your patience !

I will vote for the post with the right code.

gcusello · ‎04-16-2021

Hi @mah.,

if this solves your need, please accept my answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

mah · ‎04-16-2021

@gcusello really ?

so I really don't understand what happen by my side...

How filter all panels by clicking on a cell ?

drilldown

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life