Dashboards & Visualizations

How to use a radio button to run different searches including token from drilldown?

DaClyde
Contributor

I have a three panel dashboard using drilldown tokens, and I need help with the last panel.

In panel 1 the user picks a time range and an option from a drop down list that then runs the search to return a table of servers.  From the search results, the user can click on a row to  launch panel 2.

Panel 2 takes the token (a server name) from Panel 1 and runs a search that returns a list of clients associated with the server.  From the results, the user can click on a client to launch panel 3.

Panel 3 has a radio button with options Upload and Download to show either file uploads or file downloads for the selected client from panel 3.  However, I need to run two completely different searches (different indexes and sourcetypes) depending on which radio button is selected, but also plugging in the token (client name) from panel 2.

I know how to use a radio button menu to pass just a token into a search, but how can I pass a whole search?

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

As I said, try the change handler

<form>
  <label>Radio</label>
  <init>
    <set token="host_tok">hostA</set>
    <set token="client_tok">clientX</set>
  </init>
  <row>
    <panel>
      <input type="radio" token="method_choice">
        <label></label>
        <choice value="downloads">Downloads</choice>
        <choice value="uploads">Uploads</choice>
        <change>
          <condition value="downloads">
            <set token="action">Download</set>
            <set token="method_tok">search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status</set>
          </condition>
          <condition value="uploads">
            <set token="action">Upload</set>
            <set token="method_tok">&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;</set>
          </condition>
        </change>
      </input>
      <html>Select Upload or Download to see client traffic.
      <p>$action$</p>
      <p>$method_tok$</p>
      </html>
      <table depends="$method_choice$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    </row>
</form>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

The token can hold the whole search - it is just a string substitution. Alternatively, in the change handler for the radio button you could set more than one token if that makes if easier to build the query.

0 Karma

DaClyde
Contributor

That was what I tried first, but got lost in how to format the search in the 'value' field.  I get the idea that all of the escaping is preventing the token variables from the drilldown from being populated.  When I inspect the search after running it, it still just shows my $host_tok$ and $client_tok$ instead of the values passed from the previous panel.  When I was just  passing tokens from the radio buttons to a standard search, it worked fine, I just didn't have the flexibility I needed in the search.

Here is the panel source, I tried a straight search for Download and tried using CDATA for the Upload (which was just a mess), but in neither case do the tokens populate:

    <panel>
      <input type="radio" token="method_tok">
        <label></label>
        <choice value="search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status">Downloads</choice>
        <choice value="&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;">Uploads</choice>
      </input>
      <html>Select Upload or Download to see client traffic.</html>
      <table depends="$client_tok$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As I said, try the change handler

<form>
  <label>Radio</label>
  <init>
    <set token="host_tok">hostA</set>
    <set token="client_tok">clientX</set>
  </init>
  <row>
    <panel>
      <input type="radio" token="method_choice">
        <label></label>
        <choice value="downloads">Downloads</choice>
        <choice value="uploads">Uploads</choice>
        <change>
          <condition value="downloads">
            <set token="action">Download</set>
            <set token="method_tok">search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status</set>
          </condition>
          <condition value="uploads">
            <set token="action">Upload</set>
            <set token="method_tok">&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;</set>
          </condition>
        </change>
      </input>
      <html>Select Upload or Download to see client traffic.
      <p>$action$</p>
      <p>$method_tok$</p>
      </html>
      <table depends="$method_choice$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    </row>
</form>

DaClyde
Contributor

I'm sorry, I got so lost in trying to explain and show what I was doing wrong, I got sidetracked from actually trying your suggestion.  This works perfectly, thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...