Dashboards & Visualizations

I can't get my `$click-value$` to work on drilldown from a simple XML panel

mctester
Communicator

I'm fighting with $click.value$ with a simple panel row drilldown. The problem is that $click.value$ shows up literally in my search. I need the value not the name of the token. Anybody know how to do this without using SideView Utils?

Here's the panel:

<module name="HiddenSearch" layoutPanel="panel_row2_col2" group="Download Bytes by Destination IP" autoRun="True">
<param name="search">sourcetype=cisco_firewall bytes (src_port=80 OR src_port=443) src_ip!=10.0.0.0/8 src_ip!=192.168.0.0/16 | stats sum(bytes_in) by src_ip | table src_ip,sum(bytes_in) | sort -sum(bytes_in)</param>
<param name="groupLabel">Download Bytes by Destination IP</param>
<param name="earliest">-24h</param>
<param name="latest">now</param>
<module name="Paginator">
  <param name="count">10</param>
  <param name="entityName">results</param>
  <param name="maxPages">20</param>
  <module name="SimpleResultsTable">
    <param name="drilldown">row</param>
    <module name="HiddenSearch">
      <param name="search">sourcetype=cisco_firewall dest_ip=$click.value$</param>
      <module name="ConvertToDrilldownSearch">
        <module name="JobProgressIndicator"/>
        <module name="SimpleResultsHeader">
          <param name="headerFormat">Host names for: $click.value$</param>
          <param name="entityName">events</param>
        </module>
        <module name="Paginator">
          <param name="entityName">events</param>
          <param name="maxPages">10</param>
          <module name="SimpleResultsTable">
            <param name="drilldown">all</param>
            <param name="entityName">events</param>
            <param name="displayRowNumbers">False</param>
            <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>
Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

You're kind of mashing up two disparate ways of implementing drilldown.

1) on the one hand, you're using $click.value$ directly in the HiddenSearch module. This is an intuitive thing to do, and in fact it's how the Sideview Utils "Search" module works. However the core Splunk HiddenSearch module, when it uses the dollar syntax, ie "$foo$", is specifying that the "stringreplace intention" called "foo" should be substituted there. It's quite sensible to think that an ordinary token from upstream would be substituted here, but HiddenSearch will only substitute "stringreplace intentions". So you would need a "ConvertToIntention" module upstream from the HiddenSearch but downstream from the SimpleResultsTable, to convert your simple "click.value" token into a stringreplace intention called "click.value", for that to work. (If you feel like you're taking crazy pills you're not alone.)

2) On the other hand, you're using the Splunk core "ConvertToDrilldownSearch" module, which does some simple magic, where it takes whatever the most recent table or chart click was, and it calculates the best intention to use, and then applies the intention to the current search. The end result though is that the "search" is invisibly transformed to be the (hopefully) correct search.

So because you're using sort of half-of two different approaches, the current XML isn't working.

You have two options.

1) go in the HiddenSearch direction -- remove the ConvertToDrilldownSearch module, read up on the intention syntax, (you can pull down the "UI Examples" app from Splunkbase and crib from the stringreplace intention example). And craft the correct XML syntax for the correct stringreplace intention.

2) go in the ConvertToDrilldownSearch direction -- remove the extra HiddenSearch module, and let the ConvertToDrilldownSearch module do it's invisible magic.

Well, of course, there's a third way too. You can download Sideview Utils, which is free for internal use, from the Sideview site, put the SideviewUtils module somewhere on the page out of the way, remove the ConvertToDrilldownSearch module from the view, replace the core HiddenSearch module with the Sideview "Search" module, and then it'll work in the more intuitive way you're looking for.
(Note if you do use Utils, you'll eventually want to replace Paginator with Pager, SimpleResultsHeader with HTML, and ViewRedirector with Redirector, but there are docs for all these inside Sideview Utils)

UPDATE: Sideview Utils 2.X was for a brief time a paid product but as of a long time ago now it has returned to being essentially free software. Although there are some restrictions in the license agreement it's essentially free for internal use. http://sideviewapps.com/apps/sideview-utils

View solution in original post

sideview
SplunkTrust
SplunkTrust

One comment -- in your question's title you refer to the 'simple xml', but then the xml you've posted is of course the advanced XML syntax. I assume that you mean simple xml in a more general sense of "this should be simple".

0 Karma

sideview
SplunkTrust
SplunkTrust

You're kind of mashing up two disparate ways of implementing drilldown.

1) on the one hand, you're using $click.value$ directly in the HiddenSearch module. This is an intuitive thing to do, and in fact it's how the Sideview Utils "Search" module works. However the core Splunk HiddenSearch module, when it uses the dollar syntax, ie "$foo$", is specifying that the "stringreplace intention" called "foo" should be substituted there. It's quite sensible to think that an ordinary token from upstream would be substituted here, but HiddenSearch will only substitute "stringreplace intentions". So you would need a "ConvertToIntention" module upstream from the HiddenSearch but downstream from the SimpleResultsTable, to convert your simple "click.value" token into a stringreplace intention called "click.value", for that to work. (If you feel like you're taking crazy pills you're not alone.)

2) On the other hand, you're using the Splunk core "ConvertToDrilldownSearch" module, which does some simple magic, where it takes whatever the most recent table or chart click was, and it calculates the best intention to use, and then applies the intention to the current search. The end result though is that the "search" is invisibly transformed to be the (hopefully) correct search.

So because you're using sort of half-of two different approaches, the current XML isn't working.

You have two options.

1) go in the HiddenSearch direction -- remove the ConvertToDrilldownSearch module, read up on the intention syntax, (you can pull down the "UI Examples" app from Splunkbase and crib from the stringreplace intention example). And craft the correct XML syntax for the correct stringreplace intention.

2) go in the ConvertToDrilldownSearch direction -- remove the extra HiddenSearch module, and let the ConvertToDrilldownSearch module do it's invisible magic.

Well, of course, there's a third way too. You can download Sideview Utils, which is free for internal use, from the Sideview site, put the SideviewUtils module somewhere on the page out of the way, remove the ConvertToDrilldownSearch module from the view, replace the core HiddenSearch module with the Sideview "Search" module, and then it'll work in the more intuitive way you're looking for.
(Note if you do use Utils, you'll eventually want to replace Paginator with Pager, SimpleResultsHeader with HTML, and ViewRedirector with Redirector, but there are docs for all these inside Sideview Utils)

UPDATE: Sideview Utils 2.X was for a brief time a paid product but as of a long time ago now it has returned to being essentially free software. Although there are some restrictions in the license agreement it's essentially free for internal use. http://sideviewapps.com/apps/sideview-utils

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...