Dashboards & Visualizations

How to use a radio button to run different searches including token from drilldown?

DaClyde
Contributor

I have a three panel dashboard using drilldown tokens, and I need help with the last panel.

In panel 1 the user picks a time range and an option from a drop down list that then runs the search to return a table of servers.  From the search results, the user can click on a row to  launch panel 2.

Panel 2 takes the token (a server name) from Panel 1 and runs a search that returns a list of clients associated with the server.  From the results, the user can click on a client to launch panel 3.

Panel 3 has a radio button with options Upload and Download to show either file uploads or file downloads for the selected client from panel 3.  However, I need to run two completely different searches (different indexes and sourcetypes) depending on which radio button is selected, but also plugging in the token (client name) from panel 2.

I know how to use a radio button menu to pass just a token into a search, but how can I pass a whole search?

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

As I said, try the change handler

<form>
  <label>Radio</label>
  <init>
    <set token="host_tok">hostA</set>
    <set token="client_tok">clientX</set>
  </init>
  <row>
    <panel>
      <input type="radio" token="method_choice">
        <label></label>
        <choice value="downloads">Downloads</choice>
        <choice value="uploads">Uploads</choice>
        <change>
          <condition value="downloads">
            <set token="action">Download</set>
            <set token="method_tok">search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status</set>
          </condition>
          <condition value="uploads">
            <set token="action">Upload</set>
            <set token="method_tok">&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;</set>
          </condition>
        </change>
      </input>
      <html>Select Upload or Download to see client traffic.
      <p>$action$</p>
      <p>$method_tok$</p>
      </html>
      <table depends="$method_choice$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    </row>
</form>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

The token can hold the whole search - it is just a string substitution. Alternatively, in the change handler for the radio button you could set more than one token if that makes if easier to build the query.

0 Karma

DaClyde
Contributor

That was what I tried first, but got lost in how to format the search in the 'value' field.  I get the idea that all of the escaping is preventing the token variables from the drilldown from being populated.  When I inspect the search after running it, it still just shows my $host_tok$ and $client_tok$ instead of the values passed from the previous panel.  When I was just  passing tokens from the radio buttons to a standard search, it worked fine, I just didn't have the flexibility I needed in the search.

Here is the panel source, I tried a straight search for Download and tried using CDATA for the Upload (which was just a mess), but in neither case do the tokens populate:

    <panel>
      <input type="radio" token="method_tok">
        <label></label>
        <choice value="search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status">Downloads</choice>
        <choice value="&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;">Uploads</choice>
      </input>
      <html>Select Upload or Download to see client traffic.</html>
      <table depends="$client_tok$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As I said, try the change handler

<form>
  <label>Radio</label>
  <init>
    <set token="host_tok">hostA</set>
    <set token="client_tok">clientX</set>
  </init>
  <row>
    <panel>
      <input type="radio" token="method_choice">
        <label></label>
        <choice value="downloads">Downloads</choice>
        <choice value="uploads">Uploads</choice>
        <change>
          <condition value="downloads">
            <set token="action">Download</set>
            <set token="method_tok">search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status</set>
          </condition>
          <condition value="uploads">
            <set token="action">Upload</set>
            <set token="method_tok">&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;</set>
          </condition>
        </change>
      </input>
      <html>Select Upload or Download to see client traffic.
      <p>$action$</p>
      <p>$method_tok$</p>
      </html>
      <table depends="$method_choice$">
        <title>Detail for $client_tok$</title>
        <search>
          <query>$method_tok$</query>
          <earliest>-48h</earliest>
          <latest>+12h</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    </row>
</form>

DaClyde
Contributor

I'm sorry, I got so lost in trying to explain and show what I was doing wrong, I got sidetracked from actually trying your suggestion.  This works perfectly, thank you!

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...