Dashboards & Visualizations

How to add show more and show less function to the table column?

Rajini
Engager

Hello Everyone..

Please reply if you have any solution to add show more and show less function in splunk dashboard table column.

lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.

Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.

I have to make 1 value to show as default and if there is value more than one then "show more" option should get enabled to expand the remaining details and "show less" option to collapse the expanded details.

Thanks in Advance!

Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

There are a couple of ways you can do this, one with simple token usage and one with javascript.

For the JS, see the 'Table row expansion' example in the Splunk dashboard examples app

https://splunkbase.splunk.com/app/1603

there are some simple examples there.

You can also do it something like this with tokens. This example dashboard shows how you can use a token to control what form of C1 looks like. See $tok_row$ usage.

<form version="1.1">
  <label>test</label>
  <init>
    <set token="tok_row">0</set>
  </init>
  <search id="base_data">
    <query>
| makeresults count=5
| fields - _time
| streamstats c as row
``` lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.
Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.```
| eval C1=case(row=1, "Value1", 
               row=2, split("Value1,Value2,Value3,Value4,Value5,Value6,Value7,Value8,Value9,Value10", ","),
               row=3, split("Value1,Value2,Value3,Value4", ","),
               row=4, split("Value1,Value2,Value3,Value4,Value5", ","),
               row=5, split("Value1,Value2", ","))
| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [  eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]
| eval C1_FULL=C1
    </query>
  </search>
  <row>
    <panel>
      <table>
        <search base="base_data">
          <query>
| eval C1=if(row=$tok_row$, C1_FULL, mvindex(C1_FULL, 0, 0))
          </query>
        </search>
        <fields>"C1","C2","C3","C4"</fields>
        <drilldown>
          <eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Hope this gives you some ideas

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

There are a couple of ways you can do this, one with simple token usage and one with javascript.

For the JS, see the 'Table row expansion' example in the Splunk dashboard examples app

https://splunkbase.splunk.com/app/1603

there are some simple examples there.

You can also do it something like this with tokens. This example dashboard shows how you can use a token to control what form of C1 looks like. See $tok_row$ usage.

<form version="1.1">
  <label>test</label>
  <init>
    <set token="tok_row">0</set>
  </init>
  <search id="base_data">
    <query>
| makeresults count=5
| fields - _time
| streamstats c as row
``` lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.
Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.```
| eval C1=case(row=1, "Value1", 
               row=2, split("Value1,Value2,Value3,Value4,Value5,Value6,Value7,Value8,Value9,Value10", ","),
               row=3, split("Value1,Value2,Value3,Value4", ","),
               row=4, split("Value1,Value2,Value3,Value4,Value5", ","),
               row=5, split("Value1,Value2", ","))
| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [  eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]
| eval C1_FULL=C1
    </query>
  </search>
  <row>
    <panel>
      <table>
        <search base="base_data">
          <query>
| eval C1=if(row=$tok_row$, C1_FULL, mvindex(C1_FULL, 0, 0))
          </query>
        </search>
        <fields>"C1","C2","C3","C4"</fields>
        <drilldown>
          <eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Hope this gives you some ideas

0 Karma

Rajini
Engager

@bowesmana  This is exactly what i was looking for, and its excellent. Thank you for your response!

I tried your query its working great but when i implement the same to my query it is not working. it is still showing the multiple values and when i clicked on the row it is displaying "search is waiting for input.." message.

The results i am displaying is the values() through stats, please let me know if that could be the reason for not working or anything else?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Search is waiting for input is a token problem, please post your XML search and drilldown segment

0 Karma

Rajini
Engager

Yes, I figured out the cause, It is fixed now. Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rajini,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

Rajini
Engager

Help me understand why this 2 lines are for? I do have other fields other than values and sourcetype, need to apply this expansion for 2nd column.(column name= Values)

| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [ eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That's just setting up dummy data for the example. The mvmap just concatenates ValueX with R.# to make each of the elements of C1 show the value + row number.

foreach just makes field C# equal to a random number, where # is a loop from 2, 3, 4 in the foreach.

0 Karma

Rajini
Engager

Here is something similar to what i have tried. Please let me know where i might be making mistake.

<form version="1.1" theme="dark">
<label>test</label>
<init>
<set token="tok_row">0</set>
</init>
<search id="base_data">
<query>index="_internal" earliest=-15m@m |stats values(source) as Values by sourcetype
| eval column_expansion=Values
</query>
</search>
<row>
<panel>
<table>
<search base="base_data">
<query>
| eval Values=if(row=$tok_row$, column_expansion, mvindex(column_expansion, 0, 0))
</query>
</search>
<fields>"Values","sourcetype"</fields>
<drilldown>
<eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
</drilldown>
</table>
</panel>
</row>
</form>

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...