Dashboards & Visualizations

How to display a dynamic number of fields in dashboard panel table?

RickCurry
Explorer

I have a dashboard with a panel to which I want to show various levels of detail of the search results. The idea is to first show the basic information the user will see and if there are "values of interest", they will use a drop-down listbox to select a deeper level of detail.

However, in order to keep all of the fields of interest available, the search defines all of the fields that need to be displayed and uses the "fields" option to select the set of fields from the search results . I tried setting a token based on which item from the drop-down list is selected to define the fields to display but when I try to save the dashboard code I get an error. (It's the error that states there is a jscript issue and provides a link to the error report -- which for me doesn't show my work -- and a link back to the broken dashboard code in the dashboard editor.) I think the problem is getting the double-quote marks to translate from the "set token" option to pass into the "fields" option.

Has anyone tried to define a variable number of fields to display in a dashboard panel table using this method or something like it? I know I can use multiple "table" elements, each with its own "depends" clause, but the variable "fields" setting would be cleaner in my mind; if I can get it to work, that is. That way I have one search to cover all bases versus three to support the three level of displays the user has requested.

1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Another way to think about it would be to have multiple panels in the same location, and hide the ones you don't need while making the one you do, visible. you'd use the "depends" keyword or its negative cousin, "reject".

Examples are here - https://answers.splunk.com/answers/218623/how-to-hide-panels-with-no-results-from-a-dashboar.html
and here - https://answers.splunk.com/answers/188709/how-to-display-dashboard-panels-dynamically.html among other places.

View solution in original post

0 Karma

RickCurry
Explorer

The error I get when I try to save the dashboard with the above code is:

400 Bad Request

Return to Splunk home page

XML Syntax Error: No JSON object could be decoded
View more information about your request (request ID = 588b5131127f7380173c50) in Search 

This is followed by a link that takes me back to the dashboard XML editor. The link associated with the error message and request ID does not provide any results.

0 Karma

RickCurry
Explorer

I am using Splunk 6.4.4.

The dashboard is a form and I am editing the source in the dashboard XML editor.

Here is code snippets showing how I am creating and using the tokens:

      <input type="dropdown" token="" searchWhenChanged="true">
        <label>Data Display Detail:</label>
        <choice value="1">Level 1</choice>
        <choice value="2">Level 2</choice>
        <choice value="3">Level 3</choice>
        <default>1</default>
        <initialValue>1</initialValue>
        <change>
          <condition value="1">
            <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, db_user</set>
            <set token="token_level">1</set>
            <set token="token_fields"></set>
          </condition>
          <condition value="2">
            <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, dest_ip, dest_host, db_name, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, dest_ip, dest_host, db_name, db_user</set>
            <set token="token_level">2</set>
            <set token="token_fields">"Destination IP Address", "Destination Server Name", "Database Name",</set>
          </condition>
          <condition value="3">
            <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user</set>
            <set token="token_level">3</set>
            <set token="token_fields">"Source IP Address", "OS User", "Source App", "Destination IP Address", "Destination Server Name", "Database Name",</set>
          </condition>
        </change>
      </input>
      <table>
        <search base="access_violations">
          <query>search $severity_tok$ $src_ip_tok$ $src_app_tok$ $os_user_tok$ $dest_ip_tok$ $db_name_tok$ $db_user_tok$ $include_user_type$ $exclude_user_type$ | $token_search$</search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <drilldown>
          <set token="showDetails">true</set>
          <set token="event_time">$row.Event Time$</set>
          <set token="source_ip">$row.Source IP$</set>
          <set token="os_user">$row.OS User$</set>
          <set token="src_app">$row.Source Application$</set>
          <set token="dest_ip">$row.Destination IP$</set>
          <set token="dest_host">$row.Destination Hostname$</set>
          <set token="db_name">$row.Database Name$</set>
          <set token="sql_command">$row.SQL Command$</set>
          <set token="object_type">$row.Object Type$</set>
        </drilldown>
        <fields>[ "_time", $token_fields$ "Database User", "Violations", "Failures"]</fields>
      </table>

NOTE: The tokens in the first part of the post-processing search are created by single-selection listboxes at the top of the dashboard form. The search works perfectly for what we want to report. The current iteration of the code lists all of the desired fields for the panel to display so when a lower level of detail is selected, the panel has not data for the unused columns. We are wanting to display only those columns that will contain data.

We are using the "fields" clause/module to limit what data to display but also allowing all of the search result fields to be available should the user decide to "Open in search" so they will not need to alter the search once it runs to remove the fields command to get all of the data.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Another way to think about it would be to have multiple panels in the same location, and hide the ones you don't need while making the one you do, visible. you'd use the "depends" keyword or its negative cousin, "reject".

Examples are here - https://answers.splunk.com/answers/218623/how-to-hide-panels-with-no-results-from-a-dashboar.html
and here - https://answers.splunk.com/answers/188709/how-to-display-dashboard-panels-dynamically.html among other places.

0 Karma

RickCurry
Explorer

I thought of that and am holding it as my 'fall back' option, but that will mean that I have three searches that run versus only one. I am trying to make this as efficient as I can while still meeting the user's expectations.

0 Karma

ian_thomas
Path Finder

Any update on this? I am looking at exact same dilemma.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Hi @RickCurry

How are you adding your token and what version of Splunk are you running? If your editing the source directly, you may have forgotten to change the dashboard to a form.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And would be helpful if you can add your dashboard xml as well, and/or search query where you're using tokens in the fields command.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...