Solved: How to set and unset a specific token by clicking ...

Arthur_Kwan · ‎02-09-2024

I have a table and a couple of panels on my dashboard. I would like to click a table row and display/hide certain panels depending on the value of a specific column.

name	gender	age
Alice	female	18
Bob	male	22

For instance, I have the above table. I would like to display panel A and hide panel B when I click a row with gender=female, and display panel B and hide panel A when I click a row with gender=male. Let's say panel A depends on token panelA and panel B depends on token panelB. How should I do that?

I am thinking about doing that in the drilldown setting but I do not know how to set or unset with a condition.

ITWhisperer · ‎02-10-2024

Try something like this

<dashboard version="1.1" theme="light">
  <label>Gender</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="name,gender,age
Alice,female,18
Bob,male,22"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;female&quot;">
            <set token="female">true</set>
            <unset token="male"></unset>
          </condition>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;male&quot;">
            <set token="male">true</set>
            <unset token="female"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$female$">
    <panel>
      <table>
        <title>Female</title>
        <search>
          <query>| makeresults format=csv data="Name
Alice"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$male$">
    <panel>
      <table>
        <title>Male</title>
        <search>
          <query>| makeresults format=csv data="Name
Bob"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

ITWhisperer · ‎02-10-2024

Try something like this

<dashboard version="1.1" theme="light">
  <label>Gender</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="name,gender,age
Alice,female,18
Bob,male,22"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;female&quot;">
            <set token="female">true</set>
            <unset token="male"></unset>
          </condition>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;male&quot;">
            <set token="male">true</set>
            <unset token="female"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$female$">
    <panel>
      <table>
        <title>Female</title>
        <search>
          <query>| makeresults format=csv data="Name
Alice"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$male$">
    <panel>
      <table>
        <title>Male</title>
        <search>
          <query>| makeresults format=csv data="Name
Bob"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Arthur_Kwan · ‎02-15-2024

I found that using the following match condition is enough to get the job done.

 <condition match="$row.gender$==&quot;female&quot;">

Thanks for your answer. It lets me find out that there is a thing called conditional drilldown!

gcusello · ‎02-09-2024

Hi @Arthur_Kwan,

it isn't so easy to do but anyway, you could see in the Splunk Dashboard Exemples app,(https://splunkbase.splunk.com/app/1603) where in the Null Search Swapper example, you can see how to display/hide a panel based on a search result, then in the In-page drilldown, you can find how to set a token to use in the same page and how to display it.

So mixing these two samples, you should be able to do yor requirement.

Ciao.

Giuseppe

How to set and unset a specific token by clicking a table row with a specific column value?

Classic dashboard

drilldown

table

token

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases