Dashboards & Visualizations

How to set and unset a specific token by clicking a table row with a specific column value?

Arthur_Kwan
Engager

I have a table and a couple of panels on my dashboard. I would like to click a table row and display/hide certain panels depending on the value of a specific column.

namegenderage
Alicefemale18
Bobmale22

For instance, I have the above table. I would like to display panel A and hide panel B when I click a row with gender=female, and display panel B and hide panel A when I click a row with gender=male. Let's say panel A depends on token panelA and panel B depends on token panelB. How should I do that?

I am thinking about doing that in the drilldown setting but I do not know how to set or unset with a condition.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<dashboard version="1.1" theme="light">
  <label>Gender</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="name,gender,age
Alice,female,18
Bob,male,22"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;female&quot;">
            <set token="female">true</set>
            <unset token="male"></unset>
          </condition>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;male&quot;">
            <set token="male">true</set>
            <unset token="female"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$female$">
    <panel>
      <table>
        <title>Female</title>
        <search>
          <query>| makeresults format=csv data="Name
Alice"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$male$">
    <panel>
      <table>
        <title>Male</title>
        <search>
          <query>| makeresults format=csv data="Name
Bob"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<dashboard version="1.1" theme="light">
  <label>Gender</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="name,gender,age
Alice,female,18
Bob,male,22"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;female&quot;">
            <set token="female">true</set>
            <unset token="male"></unset>
          </condition>
          <condition match="$click.name2$==&quot;gender&quot; AND $click.value2$==&quot;male&quot;">
            <set token="male">true</set>
            <unset token="female"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$female$">
    <panel>
      <table>
        <title>Female</title>
        <search>
          <query>| makeresults format=csv data="Name
Alice"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$male$">
    <panel>
      <table>
        <title>Male</title>
        <search>
          <query>| makeresults format=csv data="Name
Bob"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Arthur_Kwan
Engager

I found that using the following match condition is enough to get the job done.

 <condition match="$row.gender$==&quot;female&quot;">

 Thanks for your answer. It lets me find out that there is a thing called conditional drilldown!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Arthur_Kwan,

it isn't so easy to do but anyway, you could see in the Splunk Dashboard Exemples app,(https://splunkbase.splunk.com/app/1603) where in the Null Search Swapper example, you can see how to display/hide a panel based on a search result, then in the In-page drilldown, you can find how to set a token to use in the same page and how to display it.

So mixing these two samples, you should be able to do yor requirement.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...