Dashboards & Visualizations

How to pass a multiselect input from one dashboard via drilldown to another?

aahiri
Explorer

Hello,

I have two dashboards, both with some input fields, with one of them being common between both; a multiselect input field.

This multiselect input field has a token prefix and a suffix with the delimiter OR.

  <label>Application</label>
  <choice value="app1">A</choice>
  <choice value="app2">B</choice>
  <valuePrefix>index=phase-</valuePrefix>
  <valueSuffix>-app</valueSuffix>
  <delimiter> OR </delimiter>
</input>

and in the search query, I have

| tstats count as Total WHERE ($app$)

So in the original dashboard, the search is fine.
However, in drilldown, I have Link to another dashboard
form.app=$app$
and this causes problems as it passes "index=phase-A-app OR index=phase-B-app" in form.app and in the target dashboard, due to the same token suffix and prefix , the token changes to "index=phase-index=phase-A-app OR index=phase-B-app-app" which is wrong.

So, my question is, how do I deal with this to be able to send form.app=A form.app=B to the destination dashboard?

Thanks in advance,
Regards,
aahiri

0 Karma
1 Solution

maciep
Champion

Here's a sample dashboard....the change on the input formats the token the way you need it...then you use it in the drilldown. In this case, the token on the destination dashboards is "t_comp".

Let me know if something like this works for you.

<form>
  <label>Eric_Test_10</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="t_component">
      <label>choose components</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd | stats count by component</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <change>
         <eval token="t_drilldown_tokens">"form.t_comp=" . replace(mvjoin($form.t_component$,","),",","&amp;form.t_comp=")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$t_drilldown_tokens$</title>
      <table>
        <title>$form.t_component$</title>
        <search>
          <query>index=_internal $t_component$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">eric_test_20?$t_drilldown_tokens|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

View solution in original post

maciep
Champion

Here's a sample dashboard....the change on the input formats the token the way you need it...then you use it in the drilldown. In this case, the token on the destination dashboards is "t_comp".

Let me know if something like this works for you.

<form>
  <label>Eric_Test_10</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="t_component">
      <label>choose components</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd | stats count by component</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <change>
         <eval token="t_drilldown_tokens">"form.t_comp=" . replace(mvjoin($form.t_component$,","),",","&amp;form.t_comp=")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$t_drilldown_tokens$</title>
      <table>
        <title>$form.t_component$</title>
        <search>
          <query>index=_internal $t_component$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">eric_test_20?$t_drilldown_tokens|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

aahiri
Explorer

Thanks for this! For sure it's a step in the right direction.
However, for some reason it doesn't seem to work all the time.
Sometimes even when both options are selected, only one of the options (random option) is passed in the $t_drilldown_tokens|n$

edit: i figured out why. it's because I have a submit button 😐

maciep
Champion

what if you pass the form token instead?

form.app=$form.app$

aahiri
Explorer

thank you! I tried this, and now I have
form.app=A,B

is there a way to manipulate this on the destination dashboard to make it two distinct values?

0 Karma

maciep
Champion

is it set up as an input on the destination too? If so, just give that input the same processing rules (prefix, suffix, delim, whatever) as in the source dashboard?

0 Karma

cpsplunkappsupp
Engager

It has the same values.
The issue is that when drilling down, the URL contains "form.indices=(history%2Csummary)" instead of "form.indices=history&form.indices=summary"

maciep
Champion

hmm...ok. i'm at work currently but can maybe try to work on an example later tonight, if i can get it working

cpsplunkappsupp
Engager

hi @aahiri
Did you find any solution for this? I have the same issue..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...