Dashboards & Visualizations

How to Use Replace Command in Drilldown with Unique Values?

New Member

Hi,

I really appreciate the value splunk forum and the help from the community. Learning a lot.
I have a question as I am trying to figure this out.

I have data coming from different APIs and it has parameter on the header. I have used replace command in the header and stored each values under a variable like example below.

example using replace:
api/v1/testuser1 -> api/v1/uniquevalue
api/v2/testinfo1 -> api/v2/unique
value

Replace Query:
| eval api=replace(api, "(api/v1/.)","api/v1/unique_value")
| eval api=replace(api, "(api/v2/.
)","api/v2/unique_value")

when I run this as a search query, I am able to fetch the results. But when I use the above in a dashboard drilldown. it doesn't work.
Can someone please help with this? Thanks.

0 Karma

Influencer

hi @rkrish71,

Try this:

<form>
  <label>Label</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>
              | makeresults 
              | eval _raw=" api
              /api/v1/testuser1
              /api/v2/testinfo1" 
              | multikv forceheader=1 
              | eval api=replace(api, "/[\w]+$", "/unique_value")
          </query>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="api">$row.api$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <html>
      <h1>Token value: $api$</h1>
    </html>
  </row>
</form>
0 Karma

New Member

/api/v1/testuser1
/api/v2/testinfo1

This approach seems to be better But I have a question.

Do I replace testuser1 or testinfo2 with .* something like that? you have defined eval and stored only those two values. cause each time the value will differ and there will be hundreds of unique values. How do I approach that case? Thanks.

0 Karma

Influencer

It is just sample data. You need to replace query:

| makeresults
| eval _raw=" api
 /api/v1/testuser1
 /api/v2/testinfo1" 
| multikv forceheader=1 
| eval api=replace(api, "/[\w]+$", "/unique_value")

with

<your base search> | eval api=replace(api, "/[\w]+$", "/unique_value")
0 Karma

Splunk Employee
Splunk Employee

Hi rkrish71

Try using replace command in drilldown like below

 <drilldown>
          <eval token="name">replace($click.value2$, "Sarath","Sarath kumar")</eval>
        </drilldown>

Guess this could help you solve your issue.

0 Karma

New Member

Hi, Thanks for helping out.

Does that go as a token or in the replace command query itself like below?

Eg:
replace($click.value2$, "(api/v2/.)", "api/v2/unique_value")

0 Karma

Splunk Employee
Splunk Employee

It should go as a drilldown token like the below snippet

<dashboard>
  <label>Sarath</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval name= "My Name is Sarath" | table name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <eval token="name">replace($click.value2$, "Sarath","Sarath kumar")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults| eval name="$name$" | table name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma