Solved: Re: How to map link for the existing splunk dashbo...

karthi2809 · ‎05-20-2024

Hi All,

How to map splunk dashboard link based on the values on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard

Ex:

Name	link
abc	click here
bbc	click here
ccd	clik here

gcusello · ‎05-22-2024

Hi @karthi2809,

do you have in payLoadInterface the same values "aaa", "bbb", "ccc" ?

if yes, you can join the Link to the events, otherwise, it isn't possible.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-20-2024

Hi @karthi2809,

you could put the list of links and names in a lookup (called e.g. links.csv) and containing at least two columns (Name, Link).

Then you could run something ike this:

 <row>
    <panel>
      <table>
        <title>Use Cases</title>
        <search>
          <query>
            | inputlookup links.csv 
            | sort Name Link
            | table Name Link
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition match="isnotnull($row.Link$)">
            <link target="_blank">/app/your_app/$row.Link$</link>
          </condition>
          <condition match="isnull($row.Link$)"/>
        </drilldown>
      </table>
    </panel>
  </row>

In this way with a click you run your dashboard.

If the dashboards are in different apps then the present one, you have to add the full path.

Ciao.

Giuseppe

karthi2809 · ‎05-21-2024

Hi @gcusello

This the query which i am trying to map Interfacename and link .So i appended the inputlookup with base query .In base query also i have interface name.So i am trying to map the values.But the link is not populating in the table.

index="mulesoft"  environment=PRD
| rename content.payload.Status as Status
    | append [ inputlookup link.csv | table Link InterfaceName]
| stats  values(content.payload.InterfaceName) as payLoadInterface values(content.payload.ErrorMessage) as ErrorMsg earliest(timestamp) as Timestamp  values(priority) as Priority values(tracePoint) as Tracepoint values(Link) as Link values(InterfaceName) as Interface by correlationId 
| eval names = if ( isnull ( mvfind ( message, "DISABLED" ) ), null, message ) 
| eval Response= coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg)
| eval InterfaceName= coalesce(Interface,payLoadInterface)
| table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint|fields - message Tracepoint Priority|search InterfaceName="*" | where Status LIKE ("%")|sort -Timestamp

gcusello · ‎05-22-2024

Hi @karthi2809,

in the lookup there isn't the correlationId field, how can you correlate the lookup with the results? what is the common key to use gor the correlation?

Then you don't need to append the lookup to the search, you can use the lookup command to join the link to the events by the correlationId (or another field).

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Hi @gcusello

Need to map based on interface name with link

gcusello · ‎05-22-2024

Hi @karthi2809,

to join the content of a lookup with a search, you must have a common key, what's this key?

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Hi @gcusello

In lookup file i have two fields one is interface name another one is link based on interface name we can map Right.

gcusello · ‎05-22-2024

Hi @karthi2809,

have you in the search a nother field with the values to correlate with interfacename?

field values must be the same.

if yes, you can use this field to join the lookup.

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Hi @gcusello

yes i have another field as interfacename is given below and in my lookup file i have same name as Interfacename . But i dont know to map values using append.

values(content.payload.InterfaceName) as InterfaceName

gcusello · ‎05-22-2024

Hi @karthi2809,

at first rename your field before the stats command, then don't use append but the lookup command (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup).

index="mulesoft"  environment=PRD
| rename 
     content.payload.Status AS Status 
     content.payload.InterfaceName) AS payLoadInterface
     content.payload.ErrorMessage AS ErrorMsg 
| lookup link.csv Link InterfaceName AS payLoadInterface OUTPUT Link
| stats  
     values(payLoadInterface) AS payLoadInterface
     values(ErrorMsg) AS ErrorMsg
     earliest(timestamp) AS Timestamp  
     values(priority) AS Priority 
     values(tracePoint) AS Tracepoint 
     values(Link) AS Link 
     values(payLoadInterface) AS payLoadInterface 
     BY correlationId 
| eval 
     names=if(isnull(mvfind(message,"DISABLED")),null,message), 
     Response=coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg),
     payLoadInterface=coalesce(Interface,payLoadInterface)
| table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint
| search payLoadInterface="*" 
| sort -Timestamp

Then the condition Status LIKE (,"%") is wrong, what do you want to check?.

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Hi @gcusello

1.Still i am not able to get Link values in the table .

2. Then the condition Status LIKE (,"%") is wrong, what do you want to check?. --->checking for Status as *

gcusello · ‎05-22-2024

Hi @karthi2809,

check the values of payLoadInterface from the search, because they must match with the related values in the lookup, in this way, you can join them and have the Link.

about the Status condition, remove it because you don't have the Status field in the stats command.

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Hi @gcusello

This my lookup

InterfaceName	Link
DSR_TEST	https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup?_gl=11w7wkaf_ga*MTYzMTg2...
DSR_TEST1	https://community.splunk.com/t5/Splunk-Search/How-to-Combine-search-query-with-a-lookup-file-with-on...
DSR_TEST2	https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Gauge

gcusello · ‎05-22-2024

Hi @karthi2809,

do you have in payLoadInterface the same values "aaa", "bbb", "ccc" ?

if yes, you can join the Link to the events, otherwise, it isn't possible.

Ciao.

Giuseppe

karthi2809 · ‎05-22-2024

Yes i copy pasted the same payLoadInterface into csv file.But i dont know why is not coming .And how to check the values from lookup file is getting populated

The values like DSR_TEST,DSR_TEST1,DSR_TEST2

gcusello · ‎05-22-2024

Hi @karthi2809,

check if in the Lookup definition you flagged the case sensitivity flag, in case unflag it.

see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

karthi2809 · ‎05-22-2024

Hi @gcusello

Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map the URL.

gcusello · ‎05-22-2024

Hi @karthi2809,

you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fields></fields> tag.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated ;.)

How to map link for the existing splunk dashboard dynamically?

drilldown

panel

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024