Dashboards & Visualizations

bins for count values

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I have a problem that I don't know if it's solveble:

I have a search with a stats command with a values option (e.g. | stats values(prog) AS prog BY key )
prog can have few and many values
I have to use key and prog in a drilldown in another dashboard.
I created an hidden field to pass to drilldown progs with the "OR" separators ( value1 OR value2 OR value3 OR ... )
This drilldown correctly runs when I have not many progs (until around 150 progs) but when I have more progs I reach the limit of URL legth (error message "Request-URI Too Long").

So how can i solve the problem?
I thought to show in my main dashboard one row every 150 progs and use them in drilldown but I don't know if it's possible and how to do that.
Has anyone any idea?
Thank you.

Bye.
Giuseppe

0 Karma
1 Solution

elliotproebstel
Champion

If I understand correctly, you're trying to pass the results of ...|stats values(prog) AS prog BY key | where key=$click.value$ or something along those lines, right? And the table that the user will click on in your first dashboard will be populated by the query ... | stats values(prog) AS prog BY key. So perhaps instead of passing all the actual values (the normal and clean way of doing things, yes), you could pass the SID of the search that populated the first dashboard along with $click.value$ and have the second dashboard contain a hidden search that evaluates | loadjob $passed_sid$ | where key=$passed_click_value$ and puts that into a token. That should bypass the URL length limitation.

View solution in original post

elliotproebstel
Champion

If I understand correctly, you're trying to pass the results of ...|stats values(prog) AS prog BY key | where key=$click.value$ or something along those lines, right? And the table that the user will click on in your first dashboard will be populated by the query ... | stats values(prog) AS prog BY key. So perhaps instead of passing all the actual values (the normal and clean way of doing things, yes), you could pass the SID of the search that populated the first dashboard along with $click.value$ and have the second dashboard contain a hidden search that evaluates | loadjob $passed_sid$ | where key=$passed_click_value$ and puts that into a token. That should bypass the URL length limitation.

gcusello
SplunkTrust
SplunkTrust

Hi elliotproebstel,
help me to understand:
in main dashboard I have to insert after the search

 <done>
   <set token="MySearchJobSID">$job.sid$</set>
 </done>

and use it as drilldown parameter:
two drilldown parameters:

  • MySearchJobSID,
  • passed_click_value=$click.value$

In the second dashboard, I have to insert an hidden search

| loadjob $passed_sid$ 
| where key=$passed_click_value$

and then use result as token in my secondary search, is it correct?

I immediately try.

Thank you.
Bye.
Giuseppe

0 Karma

elliotproebstel
Champion

Yeah, that's the sketch of what I'd try. If that doesn't work, @somesoni2's suggestion of using a temporary lookup table is the only other idea I had, as well. It has the disadvantage of either potentially creating a lot of temporary dynamically-named lookups that will require cleanup or of using a single statically-named lookup that could encounter race conditions if more than one person uses the dashboard.

gcusello
SplunkTrust
SplunkTrust

I passed SID to the secondary search as you suggested, now the problem is to create a token in an hidden search:
I tried with

<set token="prog_token">$row.prog_token$</set>

But it doesn't run I continue!
Thanks.

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Great it runs!
Thank you very much!
Bye.
Giuseppe

0 Karma

elliotproebstel
Champion

Great! So glad it worked 🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What's the max number of prog that you may pass to other dashboard?? Can you try using a single character delimiter (instead of OR) to reduce some length?

gcusello
SplunkTrust
SplunkTrust

Hi somesoni2,
I could have thousands of progs because it's a field of 7 chars that contains the line number with an error.
I used OR because I have to put in OR condition all the values to use in the secondary dashboard.
Thanks.
Bye.
Giuseppe

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yeah... if it can be thousands, minimizing length of delimiter will not help here (though you could run a subsearch to split it in drilldown dashbord). You can try @elliotproebstel's suggestion of passing SID, or another alternative could be to write the result to a (temp) lookup table and refer to lookup table on drilldown dashboard.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...