Solved: Re: Pass 2 columns to 1 token or 2 tokens?

dbcase · ‎11-02-2017

Hi,

I have the below table

What I'd like to be able to do is when the user clicks on iPhone (there are 2 of them which is what presents the problem) I'd like to also include the OS in the search as to be able to uniquely identify which iPhone. I know how to configure a token to grab "iPhone" but what I don't know is how to grab the OS value at the same time. Also, is it best to put all the info in 1 token or 2 tokens? Or am I going about this completely wrong? 😉

kamlesh_vaghela · ‎11-02-2017

Hi
Do you want to set tokens on drilldown?

Can you please try below drilldown code?

 <drilldown>
             <set token="tokenUserAgent">$row.User Agent$</set>
             <set token="tokenOperatingSystem">$row.Operating System$</set>
             <set token="tokenPercentage">$row.Percentage$</set>
           </drilldown>

View solution in original post

gcusello · ‎11-02-2017

Hi dbcase,
you pass two different tokens:

<drilldown>
   <link>drilldown_dashboard?User_Agents=$row.User Agents$&amp;Operating_System=$row.Operative Systems$</link>
</drilldown>

in addition I usually add also time period

<drilldown>
   <link>drilldown_dashboard?User_Agents=$row.User Agents$&amp;Operating_System=$row.Operative Systems$&amp;TimeFrom=$Time.earliest$&amp;TimeTo=$Time.latest$</link>
</drilldown>

Bye.
Giuseppe

kamlesh_vaghela · ‎11-02-2017

Hi
Do you want to set tokens on drilldown?

Can you please try below drilldown code?

 <drilldown>
             <set token="tokenUserAgent">$row.User Agent$</set>
             <set token="tokenOperatingSystem">$row.Operating System$</set>
             <set token="tokenPercentage">$row.Percentage$</set>
           </drilldown>

dbcase · ‎11-02-2017

Hi Kamlesh_Veghela, That worked! It was a little more tweaking for the query but it works great! Thank you!!!

dbcase · ‎11-02-2017

The final code segment ended up looking like this

<table depends="$tablepremiseid$">
        <title>Devices/Browsers used for the past 7 days for Premise - $tablepremiseid$</title>
        <search>
          <query>earliest=-7d@d host=beta* index=main "/rest/icontrol/sites/" |rex "\/rest\/icontrol\/sites\/(?P&lt;premise_id&gt;\d+)"|search premise_id=$tablepremiseid$|eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|rex "Mozilla\S+\s\((?&lt;os&gt;[^)]+)"|eventstats count as grandtotal |eventstats count as ptotal by agent os|stats count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by agent os |sort -count|rename agent as "User Agent - Click for Details" os as "Operating System"|fields - count</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <format type="color" field="Percentage">
          <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax"></scale>
        </format>
        <drilldown>
          <condition field="User Agent - Click for Details">
            <set token="tableuseragent">$row.User Agent - Click for Details$</set>
            <set token="tableoperatingsystem">$row.Operating System$</set>
          </condition>
          <condition field="*">
            <unset token="tableuseragent"></unset>
            <unset token="tableoperatingsystem"></unset>
          </condition>
        </drilldown>
      </table>
      <table depends="$tableuseragent$">
        <title>Raw log events for User Agent - $tableuseragent$ and OS - $tableoperatingsystem$ for the past 7 days for Premise - $tablepremiseid$</title>
        <search>
          <query>earliest=-7d@d host=beta* index=main "/rest/icontrol/sites/" | rex "\/rest\/icontrol\/sites\/(?P&lt;premise_id&gt;\d+)" | search premise_id=$tablepremiseid$ | eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|  rex "Mozilla\S+\s\((?&lt;os&gt;[^)]+)" |search agent="$tableuseragent$" AND os="$tableoperatingsystem$" |table _raw|rex "-\s-(?P&lt;rawevent&gt;.+)"|table rawevent|rename rawevent as "Raw Event"</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <format type="color" field="Percentage">
          <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax"></scale>
        </format>
      </table>

dbcase · ‎11-02-2017

Also can you convert your comment to an answer and I'll accept it so you can get the credit. Thanks again!

kamlesh_vaghela · ‎11-02-2017

Glad to help you
Happy Splunking

Pass 2 columns to 1 token or 2 tokens?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes