Dashboards & Visualizations

Using mvmap in eval token

piukr
Explorer

Hello,

I am trying to format multi-value cell data in a dashboard table using mvmap in an eval token before passing it on to a drilldown, however I am unable to figure out how to format the eval function and if this approach would work at all. I would appreciate if someone could tell me why this function fails.

I have included a test dashboard which shows sample data (sample column) and the format that I would like to create (test column). Unfortunately, the 'temptoken' token never gets evaluated.

Note, I understand that I could use different workarounds to avoid using mvmap in an eval token, such as creating a hidden field in the table and use it for drilldown, or using different eval functions (depending on the use case). I am specifically interested in the format of using mvmap in an eval token, as this function could be really useful in more complex cases that I have to deal with.

<dashboard>
  <label>mvmap in eval token</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
            <![CDATA[
| makeresults 
| fields - _time
| eval sample = "text1 -> text2,text3 -> text4"
| eval sample = split(sample, ",")
``` the SPL above this line will generate the sample data ```
| eval test = mvmap(sample, split(sample, " -> "))
          ]]>
        </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="$click.name2$==&quot;sample&quot;">
           <!-- This eval function is not working --> 
           <eval token="temptoken">mvmap('row.sample', split('row.sample', " -> "))</eval>
          </condition>
          <condition match="$click.name2$==&quot;test&quot;">
            <eval token="temptoken2">'row.test'</eval>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <html>
      <p>
        temptoken: $temptoken$
      </p>
      <p>
        temptoken2: $temptoken2$
      </p>
    </html>
  </row>
</dashboard>

 

Best Regards,

Robert

Labels (1)
Tags (3)
0 Karma
1 Solution

tscroggins
Influencer

@piukr 

The Simple XML <eval> tag implements a subset of eval functions in JavaScript. Internally, multivalued results are JavaScript arrays. They are collapsed to comma-delimited strings when returned as values.

See $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/util/eval/functions/multivalue.js for the list of supported functions:

  • split()
  • mvappend()
  • mvcount()
  • mvfind()
  • mvindex()
  • mvjoin()
  • mvdedup()
  • mvsort()
  • mvrange()
  • mvzip()
  • mvfilter()

Unfortunately, mvmap() is not supported.

Props to the dashboards and visualizations team for supporting as much as they did!

View solution in original post

piukr
Explorer

Hi @tscroggins, thank you for the detailed explanation, and also for pointing out where I should look for the answer the next time 🙂

BR,

Robert

0 Karma

tscroggins
Influencer

@piukr 

The Simple XML <eval> tag implements a subset of eval functions in JavaScript. Internally, multivalued results are JavaScript arrays. They are collapsed to comma-delimited strings when returned as values.

See $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/util/eval/functions/multivalue.js for the list of supported functions:

  • split()
  • mvappend()
  • mvcount()
  • mvfind()
  • mvindex()
  • mvjoin()
  • mvdedup()
  • mvsort()
  • mvrange()
  • mvzip()
  • mvfilter()

Unfortunately, mvmap() is not supported.

Props to the dashboards and visualizations team for supporting as much as they did!

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...