Dashboards & Visualizations

How to drilldown on a table that uses display values from a lookup

DaClyde
Contributor

I have a dashboard with two levels of drilldowns. The first dashboard is a list of servers. Click on a server name and it gives you a list of that server's clients. Click on a client name and it shows you information from that client.

What I want to do is use a lookup to show a "friendly name" (like a business unit or division) instead of the actual server name. The problem I run into is that now the "friendly name" is what gets passed on as the $click.value$ to the client list. How can I display a "friendly name" but still have the drilldown use the original server name value on the drill down?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Rename the ugly field to _uglyfield, and use $row._uglyfield$ in your drilldown. The underscore will make the table hide the field.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Rename the ugly field to _uglyfield, and use $row._uglyfield$ in your drilldown. The underscore will make the table hide the field.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Not sure if it exists explicitly, but implicitly somewhere by stating that underscore fields are internal/hidden... Feel free to leave docs feedback in the dashboarding docs.

0 Karma

DaClyde
Contributor

Beautiful, that worked perfectly! Where is that little nugget in the documentation?

0 Karma

somesoni2
Revered Legend

If you're using table visualization, you can have your search query to have both actual server name as well as friendly name, but use <fields> element to display only the friendly name. The actual server name will still be available at drilldown. You would've to use $row.fieldnameforActualServer$ instead of $click.value$. See this

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#table

DaClyde
Contributor

It has been awhile, but I'm back working on this. If I don't include the servername field in the <fields> list, it isn't passed in the drill down. If I include it in the <fields> list it shows up in the search results, but the drill down works.

What am I missing? How do I make the servername field available, but not visible in the initial results table?

0 Karma

somesoni2
Revered Legend

Other option you've is, pass the "Friendly name" to drilldown/client search, and then where you're using host filter (earlier when you were using host name), use a subsearch which uses that friendly name to fetch host names from the lookup. E.g.

Server List query:

| inputlookup yourlookup.csv | table FriendlyNameCol, hostNameCol | stats count by FriendlyNameCol | table FriendlyNameCol

When clicked it'll pass FriendlyNameCol value as $click.value$.

Client List query:

index=foo sourcetype=bar [ | inputlookup yourlookup.csv | where FriendlyNameCol="$drilldownToken$" | table hostNameCol] | .. rest of the search

DaClyde
Contributor

3 years later, I'm finally getting around to using this and it works great.  Thanks!

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...