Re: How to Use Replace Command in Drilldown with U...

rkrish71 · ‎03-12-2020

Hi,

I really appreciate the value splunk forum and the help from the community. Learning a lot.
I have a question as I am trying to figure this out.

I have data coming from different APIs and it has parameter on the header. I have used replace command in the header and stored each values under a variable like example below.

example using replace:
api/v1/testuser1 -> api/v1/unique_value
api/v2/testinfo1 -> api/v2/unique_value

Replace Query:
| eval api=replace(api, "(api/v1/.)","api/v1/unique_value")
| eval api=replace(api, "(api/v2/.)","api/v2/unique_value")

when I run this as a search query, I am able to fetch the results. But when I use the above in a dashboard drilldown. it doesn't work.
Can someone please help with this? Thanks.

manjunathmeti · ‎03-13-2020

hi @rkrish71,

Try this:

<form>
  <label>Label</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>
              | makeresults 
              | eval _raw=" api
              /api/v1/testuser1
              /api/v2/testinfo1" 
              | multikv forceheader=1 
              | eval api=replace(api, "/[\w]+$", "/unique_value")
          </query>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="api">$row.api$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <html>
      <h1>Token value: $api$</h1>
    </html>
  </row>
</form>

rkrish71 · ‎03-17-2020

/api/v1/testuser1
/api/v2/testinfo1

This approach seems to be better But I have a question.

Do I replace testuser1 or testinfo2 with .* something like that? you have defined eval and stored only those two values. cause each time the value will differ and there will be hundreds of unique values. How do I approach that case? Thanks.

manjunathmeti · ‎03-17-2020

It is just sample data. You need to replace query:

| makeresults
| eval _raw=" api
 /api/v1/testuser1
 /api/v2/testinfo1" 
| multikv forceheader=1 
| eval api=replace(api, "/[\w]+$", "/unique_value")

with

<your base search> | eval api=replace(api, "/[\w]+$", "/unique_value")

skrajkumar_splu · ‎03-13-2020

Hi rkrish71

Try using replace command in drilldown like below

 <drilldown>
          <eval token="name">replace($click.value2$, "Sarath","Sarath kumar")</eval>
        </drilldown>

Guess this could help you solve your issue.

rkrish71 · ‎03-13-2020

Hi, Thanks for helping out.

Does that go as a token or in the replace command query itself like below?

Eg:
replace($click.value2$, "(api/v2/.)", "api/v2/unique_value")

skrajkumar_splu · ‎03-13-2020

It should go as a drilldown token like the below snippet

<dashboard>
  <label>Sarath</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval name= "My Name is Sarath" | table name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <eval token="name">replace($click.value2$, "Sarath","Sarath kumar")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults| eval name="$name$" | table name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

How to Use Replace Command in Drilldown with Unique Values?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes