Dashboards & Visualizations

How to extract a value between parentheses and use it for a drill-down link

jamieadahan
Path Finder

Hi All,

I want to extract from my Routing_Location field the Integer in-between the parentheses and then use it for a Drilldown link

I'll give ab example:

Routing_Location
USA,Verizon_Cell (1345)
USA,Sprint_Cell(3451)

I want to click on the cell where 1345 is and use it in a drilldown link like

www.example.com/drilldown.php?route_loc_num=$row.Routing_Location_Num$

I have tried to use rex "\[(?<Routing_Location>[^\]]*)"
but It can only be used within the search and not how I used it

www.example.com/drilldown.php?route_loc_num="\[(?<$row.Routing_Location$>[^]]*)"

Is there anything I can use before adding the link to the drilldown to assign the value in the parentheses to a variable and then use the variable in the link?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @ jamieadahan,
you have to add to your search the extraction of the field, using a regex like this (beware your regex is wrong!) and adding this field to the table command:

| rex field=Routing_Location "\((?<field>\d+)\)"

that you can test at https://regex101.com/r/SPDc62/1

If between parethesis you could have other than numbers, you can use

| rex field=Routing_Location "\((?<field>[^\)]+)\)"

In this way you'll have an additional field that you can pass to the drilldown.

If you don't want to display this field but you want to use it for the drilldown, you must put it in the search and then add to the panel the following row:

<fields>fieldA,fieldB,fieldD</fields>

in this way you say to the dashboard which files you want to display.

Ciao.
Giuseppe

View solution in original post

jeffland
SplunkTrust
SplunkTrust

Just to add another option to the solution provided by @gcusello: you can use a field with an underscore in its name:

| rex field=Routing_Location "\((?<_hidden_field>[^\)]+)\)"

Tables never show columns prefixed with underscore (except for _time and _raw), which saves you the hassle of using the <fields> option of your table.

And furthermore, you could do this by evaluating a token in simple xml which would not require a change to your search and would neither produce a hidden field. Your drilldown would look like this (your search is kept as it was):

<table>
  <search>
    ...
  </search>
  <drilldown>
    <eval token="route_loc_tok">replace($row.Routing_Location$, "\D", "")</eval>
    <link>www.example.com/drilldown.php?route_loc_num=$route_loc_tok$</link>
  </drilldown>
  ...

jamieadahan
Path Finder

Hi @jeffland , 

I just saw this as I was looking for a way to use a a field from a search in a drill-down link without using the <fields> tag because it was getting messed up by my multi-select input.

Would you know how I can implement this properly 

 

I did something wrong here. The token $fieldsANI$ is my multi-select.   I added in the underscore as you said to rdest and called_counrty_id and it hide it from the table but also from my drill-down.

 

<search>
          <query> ANI=$ANI$ 
| fillnull   
| eval Caller_Location=if(isnull(Caller_Location),"UnKnown",Caller_Location)
 
by Caller_Location,Routing_Location,rdest,Called_Country_ID,$fieldsANI$
| eval Routing_Location=Routing_Location+" ("+rdest+")"
| eval rdest=_rdest
| eval Called_Country_ID=_Called_Country_ID
| table Caller_Location,Routing_Location,_rdest,_Called_Country_ID,$fieldsANI$
| fields - Seconds
| sort -Attempts</query>
          <earliest>$Time_Range.earliest$</earliest>
          <latest>$Time_Range.latest$</latest>
        </search> 
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="wrap">false</option>
        <drilldown>
            <link target="_blank">https://art.comp.net/#/routing?country=$row._Called_Country_ID$&amp;location=$row._rdest$</link>
        </drilldown>

 

0 Karma

jeffland
SplunkTrust
SplunkTrust

There are at least two things off with your search. First of all, the search you posted has invalid syntax here:

 

| eval Caller_Location=...
    
by Caller_Location,...

 

My guess is the post is just missing a stats or something similar there.

However, a few lines after that, you're trying to eval the fields rdest and Called_Country_ID, this time to the value of fields called _rdest and _Called_Country_ID which aren't present at this point, so rdest and Called_Country_ID will also be null after this.

If you want to have an underscore-prefixed field in your table that is available for drilldown, but not shown to the user, you need to do it the other way around:

 

some search
| stats count by Caller_ID rdest
| eval _field_for_drilldown = Caller_ID + " (" + rdest + ")"

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ jamieadahan,
you have to add to your search the extraction of the field, using a regex like this (beware your regex is wrong!) and adding this field to the table command:

| rex field=Routing_Location "\((?<field>\d+)\)"

that you can test at https://regex101.com/r/SPDc62/1

If between parethesis you could have other than numbers, you can use

| rex field=Routing_Location "\((?<field>[^\)]+)\)"

In this way you'll have an additional field that you can pass to the drilldown.

If you don't want to display this field but you want to use it for the drilldown, you must put it in the search and then add to the panel the following row:

<fields>fieldA,fieldB,fieldD</fields>

in this way you say to the dashboard which files you want to display.

Ciao.
Giuseppe

jamieadahan
Path Finder

then what value would I add to the end of my link? because I added $row.field$ and it didn't work.
Could this be because I have at the end of my search query a |table fielda,fieldb....

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ jamieadahan,
as I said: you have to add to the table command the new extracted field (e.g. my_new_field), in this way you can use it for the drilldown using $row.my_new_field$, then if you want to display it you haven't to do nothing, if you don't want to display it use the below adding row.

Ciao.
Giuseppe

0 Karma

jamieadahan
Path Finder

Thank you very much for the answer!

I tested it out and it all works amazing now!

0 Karma

gcusello
SplunkTrust
SplunkTrust

You're welcome!
Ciao and next time.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...