Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to separate multiselect drilldown

jadengoho
Builder
‎02-14-2020 03:21 AM

Hi All,
How could i separate the values of multiselect inputs that came from a drilldown ?

The values came from a dashboard click drilldown to the mutiselect field, unfortunately token passed are joined in one box, how could i separate them ?

Hope the picture will help
alt text

Tags (1)
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jadengoho
Builder
‎02-15-2020 07:38 PM

I've solve the issue. This page help me:
https://www.advisori.de/splunk-struggles-with-multiselects-and-how-to-rule-them-all-or-at-least-some...

As per my understanding: If you set a token in a table drilldown its in array form, and need to be converted in per line value*[Split command]* for it to work.

<form>
   <label>Mutiselect</label>
   <fieldset submitButton="false">
     <input type="multiselect" token="multiselect_token">
       <label>number</label>
       <choice value="1">1</choice>
       <choice value="2">2</choice>
       <choice value="3">3</choice>
       <delimiter>,</delimiter>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults
 |eval value="1,2,3"</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">cell</option>
         <drilldown>
           <eval token="form.multiselect_token">split($row.value$,",")</eval>
         </drilldown>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jadengoho
Builder
‎02-15-2020 07:38 PM

I've solve the issue. This page help me:
https://www.advisori.de/splunk-struggles-with-multiselects-and-how-to-rule-them-all-or-at-least-some...

As per my understanding: If you set a token in a table drilldown its in array form, and need to be converted in per line value*[Split command]* for it to work.

<form>
   <label>Mutiselect</label>
   <fieldset submitButton="false">
     <input type="multiselect" token="multiselect_token">
       <label>number</label>
       <choice value="1">1</choice>
       <choice value="2">2</choice>
       <choice value="3">3</choice>
       <delimiter>,</delimiter>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults
 |eval value="1,2,3"</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">cell</option>
         <drilldown>
           <eval token="form.multiselect_token">split($row.value$,",")</eval>
         </drilldown>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-15-2020 02:03 PM

@jadengoho try the following two step process:

Step 1: Process a hidden field (prefix field name with underscore _ as one option for this), which prepares querystring for multiselect in the destination dashboard. i.e. splunkd,splunkd_access converts to form.tokSourcetype=splunkd&form.tokSourcetype=splunkd_access
Step 2: pass the same as token without escaping using |n to the token.

PS:

  • Do not use <default> option in multiselect populated with the drilldown token as the same is taken care by query string in the URL.
  • I have used $env:app$ to get the current app name for drilldown to the dashboard in the same app as source. You can specify app name if your drilldown is outside the current app.

Following is a run anywhere example where source_dashboard drills down to destination_dashboard:
SimpleXML for Source Dashboard source_dashboard

<dashboard>
  <label>Source Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats values(sourcetype) as sourcetype where index=_internal earliest=-15min
| eval sourcetype=mvjoin(sourcetype,",")
| eval _sourcetypeQryStr="form.tokSourcetype=".replace(sourcetype,",","&amp;form.tokSourcetype=")
| eval _currentAppName=$env:app|s$</query>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">/app/$row._currentAppName$/destination_dashboard?$row._sourcetypeQryStr|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

SimpleXML for Destination Dashboard destination_dashboard

<form>
  <label>Destination Deshboard</label>
  <init>
    <set token="tokDefaultSourceType">splunkd,splunkd_ui_access</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokSourcetype" searchWhenChanged="true">
      <label>Select Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal earliest=-15min by sourcetype
| fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>| tstats count where index=_internal sourcetype IN ($tokSourcetype$) earliest=-15min by _time sourcetype span=1min
| eval {sourcetype}=count
| fields - sourcetype count</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎02-15-2020 07:13 PM

@niketnilay This is helpful,
but i have a table with drill down function and need to send token from table to a multi-select in the same dashboard.

<form>
  <label>Mutiselect</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="multiselect_token">
      <label>number</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
      <choice value="3">3</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
|eval value="1,2,3"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.multiselect_token">$row.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-14-2020 04:44 PM

I see your condition.
what's your query?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...