Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SingleValue drilldown search containing value displayed on SingleValue?

Jason
Motivator
‎08-17-2012 08:34 AM

I am displaying a value on my <single> - part of a nice and easy form search dashboard. Now I want to search by that value, so I'm setting up a drilldown.

However, when I set the linkSearch parameter to $session_id$, what is being displayed on the singlevalue, it comes through as the literal text $session_id$ on the next dashboard (set to flashtimeline via the linkView parameter).

What value do I put in linkSearch to be able to add the value of the singlevalue to the search, thus turning it into an actually useful drilldown? $value$?

Reply

sideview
SplunkTrust
SplunkTrust
‎08-17-2012 09:40 PM

There's no facility in SingleValue for dynamic searches unfortunately. You can define that 'linkSearch' parameter but it's purely static and it cant incorporate any dynamic $foo$ tokens.

However if you want to do it anyway, you can use Sideview Utils to do it. Download Sideview Utils ( http://sideviewapps.com/apps/sideview-utils/ and click 'download full version'), install it, restart Splunk, read the homepage docs and the first few pages of intro docs.

Then you can skip to "Module Reference > HTML Module > Using HTML instead of the SingleValue module."

That whole page has several living interactive examples of how you can do what you need to do. There are simple examples where there's no link, and more complex examples where the HTML module has a link to another view. In your case unless you converted the target view to Sideview Utils as well you'll want to build the link matching the normal Splunk "?q=search my search terms" convention.

For example, you would end up with this configuration: 

<module name="HTML">
  <param name="html"><![CDATA[
    <div class="valueDisplay"> <div><b>session_id <a href='flashtimeline?q=search session_id="$results[0].session_id$"&amp;earliest=-15min&amp;latest=now'>$results[0].session_id$</a></b></div> </div> <br clear="all">
    ]]></param>
</module>

Note however that there's a little custom css in that example. See the comment in the view about moving that CSS into your own app.

Reply

Jason
Motivator
‎08-20-2012 06:09 AM

Okay. I don't want to go to any sort of advanced XML, so filing a P4 now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...