Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass a value from the search in one tab for use in another tab using Simple XML?

ektasiwani
Communicator
‎05-31-2015 11:56 PM

Hi,

My requirement is like this:

I have an application with two tabs. I want to run a splunk search in one tab and use the result in other tab.

For example:

In the first search, i want to run a search to get list of students with their marks.
And in other tab i want to use the topper name to congrats him/her.
I don't want to run that search again in the second tab.
My dashboard is in xml.
Can this be achieved by using tokens? if yes can anyone tell me how?
I know how to pass token from one panel to other in same tab, but not able to pass it from one tab to other.

Can anyone help me with that?

Thanks

0 Karma
Reply

gyslainlatsa
Motivator
‎06-02-2015 12:54 AM

hi,
I propose to use a drilldown will get the value in the first table to return in the second table and trigger the results of this second table. Here is an example of code I used to do this recently drilldown.

First step: You created the first table (page1.xml) and the inside of the code you use a tag that drilldown will recover the value of a field that you wish to return in the second table that you must first create .

Second step: creating the second table (page2.xml) with its display will be conditioned by the value of the first table field.

and try and let me know if that helps you.

page1.xml



this dashboard list all tickets, and let you update a ticket

  <fieldset autoRun="true" submitButton="false">

    <input type="time" searchWhenChanged="true">
      <label>Select a time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>

    <input type="dropdown" token="TicketNumber" searchWhenChanged="true">
      <label>Select the TicketNumber</label>
      <choice value="*">All</choice>
      <search>
        <query>index=ticket report="ticket1" |stats first(TicketNumber) by TicketNumber</query>
      </search>
      <default>*</default>
      <fieldForLabel>TicketNumber</fieldForLabel>
      <fieldForValue>TicketNumber</fieldForValue>
      <prefix>TicketNumber="</prefix>
      <suffix>"</suffix>
    </input>

    <input type="multiselect" token="host" searchWhenChanged="true">
      <label>Host</label>
      <prefix>(</prefix>
      <valuePrefix>host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>OR </delimiter>
      <choice value="*">All</choice>
      <suffix>)</suffix>
      <search>
        <query>index=ticket report="ticket1" |stats count by host</query>
      </search>
      <default>*</default>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>

    <input type="multiselect" token="status" searchWhenChanged="true">
      <label>Status</label>
      <prefix>(</prefix>
      <valuePrefix>status="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="*">All</choice>
      <suffix>)</suffix>
      <search>
        <query>index=ticket report="ticket1" $TicketNumber$ |stats first(status) as status by TicketNumber |stats count by status</query>
      </search>
      <default>*</default>
      <fieldForLabel>status</fieldForLabel>
      <fieldForValue>status</fieldForValue>
    </input>

    <input type="multiselect" token="comment" searchWhenChanged="true">
      <label>Comments</label>
      <prefix>(</prefix>
      <valuePrefix>Comments="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="*">All</choice>
      <suffix>)</suffix>
      <search>
        <query>index=ticket report="ticket1" $TicketNumber$ |stats first(Comments) as Comments by TicketNumber |stats count by Comments</query>
      </search>
      <default>*</default>
      <fieldForLabel>Comments</fieldForLabel>
      <fieldForValue>Comments</fieldForValue>
    </input>

  </fieldset>


  <row>
    <panel>
      <table id="master">
        <title>Tickets for $host$, $status$, generated by Error_alert, triggered</title>
        <search>
          <query>index=ticket report="ticket1" $host$ $TicketNumber$ $status$ $comment$ |dedup TicketNumber
             |table TicketNumber Alerttime status Comments Raw 
          </query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>

        <drilldown>
          <!-- Use set to specify the new token to be created.
            Use any token from the page or from the click event to produce the value needed. -->  
          <link>/app/CPU/tickets_list2?form.TicketNumber=$row.TicketNumber$</link>
        </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

page2.xml

<form>
  <label>Tickets List</label>
  <description>this dashboard list all tickets, and let you update a ticket</description>
 <row>
  <panel>
    <title>Update: $TicketNumber$ generate by Error_alert, triggered</title>

      <input type="text" token="TicketNumber" searchWhenChanged="true">
      <label>Enter a TicketNumber:</label>
      <default></default>
      </input>

      <input type="text" token="comment2" searchWhenChanged="true">
        <label>Update the comment</label>
      </input>

      <input type="dropdown" token="newstatus" searchWhenChanged="true">
        <label>Change the ticket status</label> 
        <choice value="Open">Open</choice>
        <choice value="Closed">Closed</choice>
        <choice value="In progress">In progress</choice>
        <default></default>
        <change>
          <condition value="Open">
            <set token="new_search">index=ticket report="ticket1" $ticketNumber2$  
              |eval status1="Open"
              |eval hist_status=if( status1 != status,"status change from: " +  status + " to :" +  status1,"status no change")
              |eval hist_comment=if(Comments != "$comment2$","old comment is :" + Comments + " new comment is :" + "$comment2$" , "comments no change")  
              |eval status_set_time=strftime(_time,"%Y-%m-%d %H%M%S")
              |eval status_change=if(status1 != status,"yes","no")
              |eval status=status1
              |eval Comments="$comment2$" |head 1
              |table TicketNumber  Alerttime status Comments status_set_time hist_status hist_comment status_change Raw
              |collect index=ticket marker="report=\"ticket1\""</set>
          </condition>

          <condition value="Closed">
            <set token="new_search">index=ticket report="ticket1" $ticketNumber2$ 
              |eval status1="Closed"
              |eval hist_status=if( status1 != status,"status change from: " +  status + " to :" +  status1,"status no change")
              |eval hist_comment=if(Comments != "$comment2$","old comment is :" + Comments + " new comment is :" + "$comment2$" , "comments no change") 
              |eval status_set_time=strftime(_time,"%Y-%m-%d %H%M%S")
              |eval status_change=if( status1 != status,"yes","no")
              |eval status=status1
              |eval Comments="$comment2$"
              |eval NewTicketNumber=round(_time) |head 1
              |table TicketNumber  Alerttime status Comments status_set_time hist_status hist_comment status_change Raw
              |collect index=ticket marker="report=\"ticket1\""
            </set>
          </condition>

          <condition value="In progress">
            <set token="new_search">index=ticket report="ticket1" $ticketNumber2$
              |eval status1="In progress"
              |eval hist_status=if( status1 != status,"status change from: " +  status + " to :" +  status1,"status no change")
              |eval hist_comment=if(Comments != "$comment2$","old comment is :" + Comments + " new comment is :" + "$comment2$" , "comments no change")
              |eval status_set_time=strftime(_time,"%Y-%m-%d %H%M%S")
              |eval status_change=if(status1 != status,"yes","no")
              |eval status=status1
              |eval Comments="$comment2$" |head 1
              |table TicketNumber  Alerttime status Comments status_set_time hist_status hist_comment status_change Raw
              |collect index=ticket marker="report=\"ticket1\""
            </set>
          </condition>
        </change>
      </input>

      <table>
        <title>Table</title>
        <search>
          <query>$new_search$</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">5</option>
      </table>
    </panel>
  </row>

</form>
0 Karma
Reply

ektasiwani
Communicator
‎06-02-2015 08:46 AM

Here also you are defining ticketnumber token in both the xml page.
Can we do like define a token for sourcetype in page1.xml like provide a text area to user for provide the sourcetype and then use same sourcetype provided by the user, in page2.xml.

No need to provide sourcetype again in page2.xml

0 Karma
Reply

gyslainlatsa
Motivator
‎06-03-2015 01:21 AM

hi,
yes, you can get the sourcetype of page1.xml in page2.xml, just use a text box to enter the sourcetype in page1.xml and condition the drilldown on the value of this sourcetype and it will appear in page2.xml carefree. in my code I have conditioned the drilldown with the value of ticketNumber, you only need to edit, and rather sourcetype.

let me know if this will work as desired.

0 Karma
Reply

gyslainlatsa
Motivator
‎06-01-2015 03:58 AM

try following this link:

http://answers.splunk.com/answers/170633/how-do-i-use-one-search-to-populate-a-bunch-of-pan.html

0 Karma
Reply

ektasiwani
Communicator
‎06-01-2015 09:28 AM

Here its showing how to save search and use it in different panel but same dashboard.
I want to use it in different dashboard.
And in simple xml if possible.

0 Karma
Reply

ektasiwani
Communicator
‎06-01-2015 03:40 AM

Here tabs means page.
lets imagine i have two xml page.
page1.xml and page2.xml
i want to run the search query in page1.xml or want to define token in page1.xml
and want to use that token in page 2.xml.

Is it possible?

0 Karma
Reply

gyslainlatsa
Motivator
‎06-01-2015 02:37 AM

hi,
please post your code xml and let me check how to do?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...