Monitoring Splunk

How to use the different inputlookup csv files based on the drilldown value ?

Real_captain
Path Finder

HI Team 

Can you please let me know if it is possible to display the different CSV files based on the drilldown value selected in parent table. 

Example: 
I have a search panel with the below drilldown that set the value of the Application clicked in the parent dashboard: 
<drilldown>
<condition match="isnotnull($raw_hide$)">
<unset token="raw_hide"></unset>
<unset token="raw_APPLICATION"></unset>
</condition>
<condition>
<set token="raw_hide">true</set>
<set token="raw_APPLICATION">$row.APPLICATION$</set>
</condition>
</drilldown>


Based on the value of the APPLICATION clicked on the parent Dashboard, i want to display the corresponding csv. 

If Application = "X", then i want to use the command ,  | inputlookup append=t X.csv 
If Application = "Y", then i want to use the command ,  | inputlookup append=t Y.csv 
If Application = "Z", then i want to use the command ,  | inputlookup append=t Z.csv 

OR 
Is it possible to display 3 different panels based on the APPLICATION selected in the parent Dashboard. 
i.e based on the value of the token set in the <drilldown> of the parent dashboard , can we display the different panel using <panel depends="$tokenset$">

Panel 1 using X.csv   <panel depends="$tokensetX$">
Panel 2 using Y.csv   <panel depends="$tokensetY$">
Panel 3 using Z.csv   <panel depends="$tokensetZ$">

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Real_captain ,

yes, in the first dropdown insert the three lookup values and use the token in the second dropdown, something like this:

<input type="dropdown" token="first" searchWhenChanged="true">
      <search>
        <query>
          | makeresults
          | eval lookup=lookup1.csv
          | fields lookup 
          | append [
              | makeresults
              | eval lookup=lookup2.csv
              | fields lookup ]
          | append [
              | makeresults
              | eval lookup=lookup3.csv
              | fields lookup ]
        </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
      <fieldForLabel>lookup</fieldForLabel>
      <fieldForValue>lookup</fieldForValue>
    </input>
<input type="dropdown" token="lookup" searchWhenChanged="true">
      <search>
        <query>
          | inputlookup $first$
          | fields fieldA
        </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
      <fieldForLabel>fieldA</fieldForLabel>
      <fieldForValue>fieldA</fieldForValue>
    </input>

in this way, using the first dropdown you select the lookup and using the second dropdown you choose the value in the lookup.

If you have different fields in the lookups, you have to normalize them using the same field names (using rename).

Ciao.

Giuseppe

0 Karma

Real_captain
Path Finder

Hi @gcusello  , Thanks for the update. But i am not looking for a dropdown panel. I've tried to explain my query again in details. 

This is a panel depend on table which will be displayed when we click any row in the parent table. 

Below is the parent table. 

Real_captain_1-1740488586321.png

When i click on the 1st row of above table, i want to open a new panel which uses the lookup1.csv 
When i click on the 2nd row of above table, i want to open a new panel which uses the lookup2.csv 
When i click on the 3rd row of above table, i want to open a new panel which uses the lookup3.csv 

To do this , i have used the drilldown option in the above table : 
<drilldown>
<condition match="isnotnull($raw_hide$)">
<unset token="raw_hide"></unset>
<unset token="raw_APPLICATION"></unset>
</condition>
<condition>
<set token="raw_hide">true</set>
<set token="raw_APPLICATION">$row.APPLICATION$</set>
</condition>
</drilldown>

Is it possible to add something in the new panel (which is having a separate search) along with "<panel depends="$raw_hide$">" but uses 
lookup1.csv  when we click row1 of parent table 
lookup2.csv  when we click row2 of parent table 
lookup3.csv  when we click row3 of parent table 

New panel runs search with :
| inputlookup append=t lookup1.csv  when row1 is clicked. 
| inputlookup append=t lookup2.csv  when row2 is clicked. 
| inputlookup append=t lookup3.csv  when row3 is clicked. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Real_captain ,

there are two things to analyze:

to open a new panel depends the value of a click, you can see in the Dashboard Examples App (even if it's archived it's still useful for this!).

to pass the lookup value, you could add this information as an hidden field to each row and use it for the drilldown in dashboard.

In other words, you add this information to each row using e.g. an eval case:

| eval lookup=case(
     APPLICATION="app1",lookup1.csv",
     APPLICATION="app2",lookup3.csv",
     APPLICATION="app3",lookup3.csv")

In this way, you have a field to use in the drilldows.

Then you hide this field in the first table using the <fields> </fields>tag, but you can use it in the drilldown.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...