Dashboards & Visualizations

How to create dynamic tables in a search query

Explorer

Hello guys,

I'm pretty new to Splunk and I'd like to see if there is a way in which I could create a query that would dynamically populate the necessary table columns based on an initial search value passed in from a drop down input.

For example, lets say my data contains multiple entries based on protocol, and I wish to display the results in a table. If the protocol is SFTP, I only want columns only pertaining to that protocol, I have about 5-10 unique protocols, and unique column requirements for each. I was attempting to build a search string to store the search I want based on a case statement, but that may not be possible.

Something along these lines is what I want to achieve the protocol will be passed dynamically from a drop down input, and I understand how to pass that value.

search protocol = "SFTP"
|eval searchString = case(
protocol == "SFTP", "remoteUserID=MyUserId, RemotePort=MyPort",
protocol == "HTTPS" "externalURL=myURL, SSLCert=MyCert", 1=1, "Not Found"
)
| search searchString

I also was looking into directly modifying the xml based on an article I found in regards to displaying columns dynamically in splunk (not enough karma points to point links): which would work if I could have a unique table list. Maybe there is another way where I could call different queries in my panel based on the drop down value selected?

Thanks!!

Labels (3)
Tags (1)
0 Karma
1 Solution

Explorer

Thank you for the input!! That gets me a lot closer to where I need to be, but I think I found an alternate approach that's going to work a bit better for my particular use case. I'm going to create multiple panes and using set/unset tokens to hide the panes that aren't selected. That way each pane can have it's own specific query that will get called when the particular protocol is set.

View solution in original post

0 Karma

Explorer

Thank you for the input!! That gets me a lot closer to where I need to be, but I think I found an alternate approach that's going to work a bit better for my particular use case. I'm going to create multiple panes and using set/unset tokens to hide the panes that aren't selected. That way each pane can have it's own specific query that will get called when the particular protocol is set.

View solution in original post

0 Karma

accept the answer that helped to close the question

0 Karma

Hi @adcon82 ,

try the following dashboard code and change the following token as per your requirement,
- searchstring - define your different search parameters for different dropdown values
- table
seq - define you the table column sequence for different dropdown values

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="protocol" searchWhenChanged="true">
      <label>Protocol</label>
      <choice value="SFTP">SFTP</choice>
      <choice value="HTTPS">HTTPS</choice>
      <change>
        <condition label="SFTP">
          <set token="search_string">sourcetype=splunkd</set>
          <set token="table_seq">_time, _raw</set>
        </condition>
        <condition label="HTTPS">
          <set token="search_string">host=localhost</set>
          <set token="table_seq">_raw,_time</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal protocol=$protocol$ $search_string$
| table $table_seq$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

accept & upvote the answer if it helps.

0 Karma

Contributor

Hi @adcon82,

You can do something like this. Please note that based on your use case you can define whole searches based on dropdown selected in token and use the token as the query in the table:

<form>
  <label>Dropdown based search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tknProtocol">
      <label>Protocol</label>
      <choice value="table SFTP">SFTP</choice>
      <choice value="table HTTP">HTTP</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=1 | eval SFTP="column value", HTTP="column value" | $tknProtocol$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

If you have specific starting characters in the column names based on protocol then you can do something like -> | table SFTP* (it will table all the columns with names starting with SFTP)

Hope this helps.

0 Karma

Explorer

Thank you Harshpatel! This seems to get me closer, but not sure this will work for what I'm trying to accomplish.

Lets say these are my three xml entries that I wish to search against in my data (Looks like I can't use XML tags in my post, but imagine the blow in xml format)

Data
Protocol SFTP /Protocol
UserName sftpUser /Username
Password 12345 /Password
Port 22 /Port
AuthMethod Password /AuthMethod
Filename myFilename /Filename
/Data
Data
Protocol HTTP /Protocol
RemoteURL MyURL /RemoteURL
RemotePort 80 /RemotePort
SSL False /SSL
/Data
Data
Protocol FTP /Protocol
UserName ftpUser /Username
Password 12345 /Password
Port 22 /Port
TransferMode Binary /TransferMode
Directory myDirectory /Directory
Filename myFilename /Filename
/Data

I have a protocol dropDown menu defined that has a list of protocols, using the token $dropDownProtocol$. So on my intial search, I can run a search: "search Protocol = $dropDownProtocol$". This will pull up all results for the given protocol selected from the drop down. But at this point, I wish to created a custom search for each of the protocols available in my dropdown. This was one of the reasons I was trying to nest searches inside of the case statement, basically saying if the value is "SFTP", then run a search on Username/Password/Port/AuthMethod/Filename, if it's HTTP, run a search on RemoteURL/RemotePort/SSL. In reality, there are dozens of nodes in each data tag, all unique to the given protocol. I can't use wildcards because there are many extraneous fields I do not wish to add to my table. I also wish to order the table in a specific way.

Is there a way to create multiple strings based on conditional logic, and only apply the search I need based on the condition evaluating as True? Or, as an alternative, is there a way in the case statment I could build a searchString variable that contains an entire search string to be executed?

Thanks

0 Karma

Contributor

Well, you can use eval in the xml as well. Not sure if this helps:

  <fieldset submitButton="false">
     <input type="dropdown" token="tknProtocol">
       <label>Protocol</label>
       <choice value="SFTP">SFTP</choice>
       <choice value="HTTP">HTTP</choice>
       <change>
          <condition value="SFTP">
              <eval token="tknFinal">case(0=0, "do this", 1=1, "do that")</eval>
          </condition>
          <condition>
          </condition>
       </change>
     </input>
   </fieldset>

Also, could you explain why the above solution doesn't work for you? Sorry I didn't get it.

0 Karma

Builder

You can start by creating a lookup table which has all the list of protocols and create a dropdown list on the dashboard.

You can then pass on the value from the dropdown to the panel. Make sure you use $protocol|s$. The |s is to add quotation mark to the string

<form>
  <label>Token Example</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="protocol" searchWhenChanged="true">
      <label>Protocol</label>
      <choice value="ssh">SSH</choice>
      <choice value="sftp">SFTP</choice>
      <choice value="http">HTTP</choice>
      <fieldForValue>protocol</fieldForValue>
      <search>
        <query/>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token Examplle</title>
      <table>
        <search>
          <query>| makeresults
| eval protocol_value = $protocol|s$
| table protocol_value</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Your search can then be modified to use the protocol token being passed, to give you the desired output

0 Karma