Dashboards & Visualizations

How to map link for the existing splunk dashboard dynamically?

karthi2809
Builder

Hi All,

How to map splunk dashboard link based on the values  on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard

Ex:

Namelink
abcclick here
bbcclick here
ccdclik here

 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

do you have in payLoadInterface the same values "aaa", "bbb", "ccc" ?

if yes, you can join the Link to the events, otherwise, it isn't possible.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

you could put the list of links and names in a lookup (called e.g. links.csv) and containing at least two columns (Name, Link).

Then you could run something ike this:

 <row>
    <panel>
      <table>
        <title>Use Cases</title>
        <search>
          <query>
            | inputlookup links.csv 
            | sort Name Link
            | table Name Link
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition match="isnotnull($row.Link$)">
            <link target="_blank">/app/your_app/$row.Link$</link>
          </condition>
          <condition match="isnull($row.Link$)"/>
        </drilldown>
      </table>
    </panel>
  </row>

In this way with a click you run your dashboard.

If the dashboards are in different apps then the present one, you have to add the full path.

 Ciao.

Giuseppe

karthi2809
Builder

Hi @gcusello 

This the query which i am trying to map Interfacename and link .So i appended the inputlookup with base query .In base query also i have interface name.So i am trying to map the values.But the link is not populating in the table.

index="mulesoft"  environment=PRD
| rename content.payload.Status as Status
    | append [ inputlookup link.csv | table Link InterfaceName]
| stats  values(content.payload.InterfaceName) as payLoadInterface values(content.payload.ErrorMessage) as ErrorMsg earliest(timestamp) as Timestamp  values(priority) as Priority values(tracePoint) as Tracepoint values(Link) as Link values(InterfaceName) as Interface by correlationId 
| eval names = if ( isnull ( mvfind ( message, "DISABLED" ) ), null, message ) 
| eval Response= coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg)
| eval InterfaceName= coalesce(Interface,payLoadInterface)
| table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint|fields - message Tracepoint Priority|search InterfaceName="*" | where Status LIKE ("%")|sort -Timestamp

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

in the lookup there isn't the correlationId field, how can you correlate the lookup with the results? what is the common key to use gor the correlation?

Then you don't need to append the lookup to the search, you can use the lookup command to join the link to the events by the correlationId (or another field).

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Hi @gcusello 

Need to map based on interface name with link

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

to join the content of a lookup with a search, you must have a common key, what's this key?

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Hi @gcusello 

In lookup file i have two fields one is interface name another one is link based on interface name we can map Right.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

have you in the search a nother field with the values to correlate with interfacename?

field values must be the same.

if yes, you can use this field to join the lookup.

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Hi @gcusello 

yes i have another field as interfacename is given below and in my lookup file i have same name as Interfacename . But i dont know to map values using append.

values(content.payload.InterfaceName) as InterfaceName

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

at first rename your field before the stats command, then don't use append but the lookup command (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup).

index="mulesoft"  environment=PRD
| rename 
     content.payload.Status AS Status 
     content.payload.InterfaceName) AS payLoadInterface
     content.payload.ErrorMessage AS ErrorMsg 
| lookup link.csv Link InterfaceName AS payLoadInterface OUTPUT Link
| stats  
     values(payLoadInterface) AS payLoadInterface
     values(ErrorMsg) AS ErrorMsg
     earliest(timestamp) AS Timestamp  
     values(priority) AS Priority 
     values(tracePoint) AS Tracepoint 
     values(Link) AS Link 
     values(payLoadInterface) AS payLoadInterface 
     BY correlationId 
| eval 
     names=if(isnull(mvfind(message,"DISABLED")),null,message), 
     Response=coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg),
     payLoadInterface=coalesce(Interface,payLoadInterface)
| table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint
| search payLoadInterface="*" 
| sort -Timestamp

Then the condition Status LIKE (,"%") is wrong, what do you want to check?.

Ciao.

Giuseppe

karthi2809
Builder

Hi @gcusello 

1.Still i am not able to get Link values in the table .


2. Then the condition Status LIKE (,"%") is wrong, what do you want to check?. --->checking for Status  as *

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

check the values of payLoadInterface from the search, because they must match with the related values in the lookup, in this way, you can join them and have the Link.

about the Status condition, remove it because you don't have the Status field in the stats command.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

do you have in payLoadInterface the same values "aaa", "bbb", "ccc" ?

if yes, you can join the Link to the events, otherwise, it isn't possible.

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Yes i copy pasted the same payLoadInterface  into csv file.But i dont know why is not coming .And how to check the values from lookup file is getting populated

The values like DSR_TEST,DSR_TEST1,DSR_TEST2

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

check if in the Lookup definition you flagged the case sensitivity flag, in case unflag it.

see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

karthi2809
Builder

Hi @gcusello 

Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map the URL.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fields></fields> tag.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated  ;.)

 

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...