Dashboards & Visualizations

How to make a header to a drilldown table?

iKate
Builder

I've added to a dashboard a drilldown table that appears after clicking any piece of stacked columns in a timechart. For this purpose the module ConvertToDrilldownSearch was used. The timechart shows dayly dynamics of the function "item".

Is it possible to add a header to the table that can show what data is represented? For example: "Purchases dynamics for the on <07/01/2012>"

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

Sure. You can use a SimpleResultsHeader module. SimpleResultsHeader's 'headerFormat' param is one of the few core Splunk module params that can display $foo$ tokens from other selected elements upstream.

However note that if it's the split-by field value of a stacked timechart, you'll need $click.name2$ to get the split-by value, not $click.value$.

So here you go:

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Purchase dynamics for $click.name2$ $time$</param>
</module>

As a side note if you're already using Sideview Utils it's very similar but you would just use an HTML module, and the $time$ key becomes $search.timeRange.label$. It would then look like this.

<module name="HTML">
  <param name="html"><![CDATA[
    <h2>Purchase dynamics for $click.name2$ $search.timeRange.label$</h2>
  ]]></param>
</module>

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Sure. You can use a SimpleResultsHeader module. SimpleResultsHeader's 'headerFormat' param is one of the few core Splunk module params that can display $foo$ tokens from other selected elements upstream.

However note that if it's the split-by field value of a stacked timechart, you'll need $click.name2$ to get the split-by value, not $click.value$.

So here you go:

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Purchase dynamics for $click.name2$ $time$</param>
</module>

As a side note if you're already using Sideview Utils it's very similar but you would just use an HTML module, and the $time$ key becomes $search.timeRange.label$. It would then look like this.

<module name="HTML">
  <param name="html"><![CDATA[
    <h2>Purchase dynamics for $click.name2$ $search.timeRange.label$</h2>
  ]]></param>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

Well you can use any token that comes from upstream, so if you have a SearchSelectLister with a 'settingToCreate' param of "foo", then you can use $foo$ to display the user's selection. Note with Sideview Utils you get an expanded vocabulary of these tokens, there's a docs page in Sideview Utils talking just about the main ones are and how to use them, and the Sideview Editor has a "Runtime Debug" mode you can use to inspect the tokens in a living view to see what values are actually coming down from upstream.

0 Karma

iKate
Builder

That's terrific! Thank you very much! I knew about this module and have already used it but in this case I just didn't guess that one can use "click.name(2)" even without preliminary stating of it.

Now it's interesting what other parameters can be fetched into headerFormat except $click.name$ and $time$?)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...