Splunk Enterprise

Trellis drilldown issues when using token

shazbot79
Path Finder

Hi,

I have a trellis which I need to enable drilldown on which should launch a custom search using a token determined by which part of the trellis is being clicked. Here is my code which is not working. I've tried $trellis.name$ and $trellis.value$ but neither works...

Any help much appreciated!

<single id="singleTrellis2">
        <title>Breakdown of Packaged Win10 Applications</title>
        <search>
          <query>| inputlookup SCCM_data 
| search DevicesWithApp_2012&gt;0 AND Retired!=TRUE "Organization Name"="$dept$" "Level 01 Organization Name"="$division$" 
| dedup SoftwareName 
| eval label="_" 
| search Packaged_2016=TRUE 
| fillnull value="To_Be_Reviewed" Proven 
| eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) 
| eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) 
| eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) 
| rename Proven as Proven? 
| stats count by Proven? 
| transpose header_field=Proven? column_name=Proven? 
| fields - Proven?</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="height">120</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">_aggregation</option>
        <option name="useColors">0</option>
        <drilldown>
          <set token="proven">$trellis.name$</set>
          <link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$proven$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>
      </single>
0 Karma

makelovenotwar
Path Finder

This is also an issue for me (not using aggregations). All the $trellis...$ tokens don't work when passing to a custom search. My workaround was to copy the URI generated for my search, and insert the $trellis...$ token in the proper place (I used a |u for URL encoding but not sure it's necessary). When using the "Link to Custom URL" drilldown, the tokens work just fine. Downside is that now the user gets the  "Redirecting Away From Splunk" message prior to being redirected.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear which "part" of the trellis you are referring to but assuming it is the name above the value, then trellis value is probably what you want, however, you should ensure it is encoded for use in a url

<link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$trellis.value|u$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link>
0 Karma

shazbot79
Path Finder

It is the text above the value that I want to use as the token. However, $trellis.value$ isn't working either. When you say ensure it is encoded to be used as part of a link what do you mean by that? How do I do that?

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As I showed above, try this way $trellis.value|u$

0 Karma

shazbot79
Path Finder

hmmm....I've amended it to that and it produces a search with this SPL:

 

| inputlookup SCCM_data 
| search DevicesWithApp_2012>0 AND Retired!=TRUE "Organization Name"="*" "Level 01 Organization Name"="*" 
| dedup SoftwareName 
| eval label="_" 
| search Packaged_2016=TRUE 
| fillnull value="To_Be_Reviewed" Proven 
| eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) 
| eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) 
| eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) 
| search Proven="$trellis.value|u$"
| fields FriendlyName SoftwareName 2016Name

 

I'm a bit stumped as to why it isn't capturing the value from the trellis to use as the token.

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...