Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SingleValue drilldown search containing value displayed on SingleValue?

Jason
Motivator
‎08-17-2012 08:34 AM

I am displaying a value on my <single> - part of a nice and easy form search dashboard. Now I want to search by that value, so I'm setting up a drilldown.

However, when I set the linkSearch parameter to $session_id$, what is being displayed on the singlevalue, it comes through as the literal text $session_id$ on the next dashboard (set to flashtimeline via the linkView parameter).

What value do I put in linkSearch to be able to add the value of the singlevalue to the search, thus turning it into an actually useful drilldown? $value$?

Reply

sideview
SplunkTrust
SplunkTrust
‎08-17-2012 09:40 PM

There's no facility in SingleValue for dynamic searches unfortunately. You can define that 'linkSearch' parameter but it's purely static and it cant incorporate any dynamic $foo$ tokens.

However if you want to do it anyway, you can use Sideview Utils to do it. Download Sideview Utils ( http://sideviewapps.com/apps/sideview-utils/ and click 'download full version'), install it, restart Splunk, read the homepage docs and the first few pages of intro docs.

Then you can skip to "Module Reference > HTML Module > Using HTML instead of the SingleValue module."

That whole page has several living interactive examples of how you can do what you need to do. There are simple examples where there's no link, and more complex examples where the HTML module has a link to another view. In your case unless you converted the target view to Sideview Utils as well you'll want to build the link matching the normal Splunk "?q=search my search terms" convention.

For example, you would end up with this configuration: 

<module name="HTML">
  <param name="html"><![CDATA[
    <div class="valueDisplay"> <div><b>session_id <a href='flashtimeline?q=search session_id="$results[0].session_id$"&amp;earliest=-15min&amp;latest=now'>$results[0].session_id$</a></b></div> </div> <br clear="all">
    ]]></param>
</module>

Note however that there's a little custom css in that example. See the comment in the view about moving that CSS into your own app.

Reply

Jason
Motivator
‎08-20-2012 06:09 AM

Okay. I don't want to go to any sort of advanced XML, so filing a P4 now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...