Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add show more and show less function to the table column?

Rajini
Engager
‎09-18-2023 05:22 AM

Hello Everyone..

Please reply if you have any solution to add show more and show less function in splunk dashboard table column.

lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.

Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.

I have to make 1 value to show as default and if there is value more than one then "show more" option should get enabled to expand the remaining details and "show less" option to collapse the expanded details.

Thanks in Advance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-18-2023 03:51 PM

There are a couple of ways you can do this, one with simple token usage and one with javascript.

For the JS, see the 'Table row expansion' example in the Splunk dashboard examples app

https://splunkbase.splunk.com/app/1603

there are some simple examples there.

You can also do it something like this with tokens. This example dashboard shows how you can use a token to control what form of C1 looks like. See $tok_row$ usage.

<form version="1.1">
  <label>test</label>
  <init>
    <set token="tok_row">0</set>
  </init>
  <search id="base_data">
    <query>
| makeresults count=5
| fields - _time
| streamstats c as row
``` lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.
Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.```
| eval C1=case(row=1, "Value1", 
               row=2, split("Value1,Value2,Value3,Value4,Value5,Value6,Value7,Value8,Value9,Value10", ","),
               row=3, split("Value1,Value2,Value3,Value4", ","),
               row=4, split("Value1,Value2,Value3,Value4,Value5", ","),
               row=5, split("Value1,Value2", ","))
| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [  eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]
| eval C1_FULL=C1
    </query>
  </search>
  <row>
    <panel>
      <table>
        <search base="base_data">
          <query>
| eval C1=if(row=$tok_row$, C1_FULL, mvindex(C1_FULL, 0, 0))
          </query>
        </search>
        <fields>"C1","C2","C3","C4"</fields>
        <drilldown>
          <eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Hope this gives you some ideas

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-18-2023 03:51 PM

There are a couple of ways you can do this, one with simple token usage and one with javascript.

For the JS, see the 'Table row expansion' example in the Splunk dashboard examples app

https://splunkbase.splunk.com/app/1603

there are some simple examples there.

You can also do it something like this with tokens. This example dashboard shows how you can use a token to control what form of C1 looks like. See $tok_row$ usage.

<form version="1.1">
  <label>test</label>
  <init>
    <set token="tok_row">0</set>
  </init>
  <search id="base_data">
    <query>
| makeresults count=5
| fields - _time
| streamstats c as row
``` lets say there is one table with 4 columns - C1, C2, C3, C4 and 5 rows - R1, R2, R3, R4, R5.
Consider Column C2 has 1 value in R1, 10 values in R2, 4 values in R3, 5 values in R4, 2 values in R5.```
| eval C1=case(row=1, "Value1", 
               row=2, split("Value1,Value2,Value3,Value4,Value5,Value6,Value7,Value8,Value9,Value10", ","),
               row=3, split("Value1,Value2,Value3,Value4", ","),
               row=4, split("Value1,Value2,Value3,Value4,Value5", ","),
               row=5, split("Value1,Value2", ","))
| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [  eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]
| eval C1_FULL=C1
    </query>
  </search>
  <row>
    <panel>
      <table>
        <search base="base_data">
          <query>
| eval C1=if(row=$tok_row$, C1_FULL, mvindex(C1_FULL, 0, 0))
          </query>
        </search>
        <fields>"C1","C2","C3","C4"</fields>
        <drilldown>
          <eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Hope this gives you some ideas

0 Karma
Reply
Solved! Jump to solution

Rajini
Engager
‎09-19-2023 12:01 AM

@bowesmana  This is exactly what i was looking for, and its excellent. Thank you for your response!

I tried your query its working great but when i implement the same to my query it is not working. it is still showing the multiple values and when i clicked on the row it is displaying "search is waiting for input.." message.

The results i am displaying is the values() through stats, please let me know if that could be the reason for not working or anything else?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2023 12:26 AM

Search is waiting for input is a token problem, please post your XML search and drilldown segment

0 Karma
Reply
Solved! Jump to solution

Rajini
Engager
‎09-19-2023 02:38 AM

Yes, I figured out the cause, It is fixed now. Thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2023 02:39 AM

Hi @Rajini,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

Rajini
Engager
‎09-19-2023 01:04 AM

Help me understand why this 2 lines are for? I do have other fields other than values and sourcetype, need to apply this expansion for 2nd column.(column name= Values)

| eval C1=mvmap(C1, C1."_R".row)
| foreach 2 3 4 [ eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2023 04:42 PM

That's just setting up dummy data for the example. The mvmap just concatenates ValueX with R.# to make each of the elements of C1 show the value + row number.

foreach just makes field C# equal to a random number, where # is a loop from 2, 3, 4 in the foreach.

0 Karma
Reply
Solved! Jump to solution

Rajini
Engager
‎09-19-2023 12:44 AM

Here is something similar to what i have tried. Please let me know where i might be making mistake.

<form version="1.1" theme="dark">
<label>test</label>
<init>
<set token="tok_row">0</set>
</init>
<search id="base_data">
<query>index="_internal" earliest=-15m@m |stats values(source) as Values by sourcetype
| eval column_expansion=Values
</query>
</search>
<row>
<panel>
<table>
<search base="base_data">
<query>
| eval Values=if(row=$tok_row$, column_expansion, mvindex(column_expansion, 0, 0))
</query>
</search>
<fields>"Values","sourcetype"</fields>
<drilldown>
<eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval>
</drilldown>
</table>
</panel>
</row>
</form>

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...