Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to separate multiselect drilldown

jadengoho
Builder
‎02-14-2020 03:21 AM

Hi All,
How could i separate the values of multiselect inputs that came from a drilldown ?

The values came from a dashboard click drilldown to the mutiselect field, unfortunately token passed are joined in one box, how could i separate them ?

Hope the picture will help
alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jadengoho
Builder
‎02-15-2020 07:38 PM

I've solve the issue. This page help me:
https://www.advisori.de/splunk-struggles-with-multiselects-and-how-to-rule-them-all-or-at-least-some...

As per my understanding: If you set a token in a table drilldown its in array form, and need to be converted in per line value*[Split command]* for it to work.

<form>
   <label>Mutiselect</label>
   <fieldset submitButton="false">
     <input type="multiselect" token="multiselect_token">
       <label>number</label>
       <choice value="1">1</choice>
       <choice value="2">2</choice>
       <choice value="3">3</choice>
       <delimiter>,</delimiter>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults
 |eval value="1,2,3"</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">cell</option>
         <drilldown>
           <eval token="form.multiselect_token">split($row.value$,",")</eval>
         </drilldown>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jadengoho
Builder
‎02-15-2020 07:38 PM

I've solve the issue. This page help me:
https://www.advisori.de/splunk-struggles-with-multiselects-and-how-to-rule-them-all-or-at-least-some...

As per my understanding: If you set a token in a table drilldown its in array form, and need to be converted in per line value*[Split command]* for it to work.

<form>
   <label>Mutiselect</label>
   <fieldset submitButton="false">
     <input type="multiselect" token="multiselect_token">
       <label>number</label>
       <choice value="1">1</choice>
       <choice value="2">2</choice>
       <choice value="3">3</choice>
       <delimiter>,</delimiter>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults
 |eval value="1,2,3"</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">cell</option>
         <drilldown>
           <eval token="form.multiselect_token">split($row.value$,",")</eval>
         </drilldown>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-15-2020 02:03 PM

@jadengoho try the following two step process:

Step 1: Process a hidden field (prefix field name with underscore _ as one option for this), which prepares querystring for multiselect in the destination dashboard. i.e. splunkd,splunkd_access converts to form.tokSourcetype=splunkd&form.tokSourcetype=splunkd_access
Step 2: pass the same as token without escaping using |n to the token.

PS:

  • Do not use <default> option in multiselect populated with the drilldown token as the same is taken care by query string in the URL.
  • I have used $env:app$ to get the current app name for drilldown to the dashboard in the same app as source. You can specify app name if your drilldown is outside the current app.

Following is a run anywhere example where source_dashboard drills down to destination_dashboard:
SimpleXML for Source Dashboard source_dashboard

<dashboard>
  <label>Source Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats values(sourcetype) as sourcetype where index=_internal earliest=-15min
| eval sourcetype=mvjoin(sourcetype,",")
| eval _sourcetypeQryStr="form.tokSourcetype=".replace(sourcetype,",","&amp;form.tokSourcetype=")
| eval _currentAppName=$env:app|s$</query>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">/app/$row._currentAppName$/destination_dashboard?$row._sourcetypeQryStr|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

SimpleXML for Destination Dashboard destination_dashboard

<form>
  <label>Destination Deshboard</label>
  <init>
    <set token="tokDefaultSourceType">splunkd,splunkd_ui_access</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokSourcetype" searchWhenChanged="true">
      <label>Select Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal earliest=-15min by sourcetype
| fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>| tstats count where index=_internal sourcetype IN ($tokSourcetype$) earliest=-15min by _time sourcetype span=1min
| eval {sourcetype}=count
| fields - sourcetype count</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎02-15-2020 07:13 PM

@niketnilay This is helpful,
but i have a table with drill down function and need to send token from table to a multi-select in the same dashboard.

<form>
  <label>Mutiselect</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="multiselect_token">
      <label>number</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
      <choice value="3">3</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
|eval value="1,2,3"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="form.multiselect_token">$row.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-14-2020 04:44 PM

I see your condition.
what's your query?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...