Re: Trellis drilldown issues when using token

shazbot79 · ‎01-17-2022

Hi,

I have a trellis which I need to enable drilldown on which should launch a custom search using a token determined by which part of the trellis is being clicked. Here is my code which is not working. I've tried $trellis.name$ and $trellis.value$ but neither works...

Any help much appreciated!

<single id="singleTrellis2">
        <title>Breakdown of Packaged Win10 Applications</title>
        <search>
          <query>| inputlookup SCCM_data 
| search DevicesWithApp_2012&gt;0 AND Retired!=TRUE "Organization Name"="$dept$" "Level 01 Organization Name"="$division$" 
| dedup SoftwareName 
| eval label="_" 
| search Packaged_2016=TRUE 
| fillnull value="To_Be_Reviewed" Proven 
| eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) 
| eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) 
| eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) 
| rename Proven as Proven? 
| stats count by Proven? 
| transpose header_field=Proven? column_name=Proven? 
| fields - Proven?</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="height">120</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">_aggregation</option>
        <option name="useColors">0</option>
        <drilldown>
          <set token="proven">$trellis.name$</set>
          <link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$proven$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>
      </single>

makelovenotwar · ‎09-01-2023

This is also an issue for me (not using aggregations). All the $trellis...$ tokens don't work when passing to a custom search. My workaround was to copy the URI generated for my search, and insert the $trellis...$ token in the proper place (I used a |u for URL encoding but not sure it's necessary). When using the "Link to Custom URL" drilldown, the tokens work just fine. Downside is that now the user gets the "Redirecting Away From Splunk" message prior to being redirected.

ITWhisperer · ‎01-17-2022

It is not clear which "part" of the trellis you are referring to but assuming it is the name above the value, then trellis value is probably what you want, however, you should ensure it is encoded for use in a url

<link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$trellis.value|u$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link>

shazbot79 · ‎01-20-2022

It is the text above the value that I want to use as the token. However, $trellis.value$ isn't working either. When you say ensure it is encoded to be used as part of a link what do you mean by that? How do I do that?

Thanks

ITWhisperer · ‎01-20-2022

As I showed above, try this way $trellis.value|u$

shazbot79 · ‎01-20-2022

hmmm....I've amended it to that and it produces a search with this SPL:

| inputlookup SCCM_data 
| search DevicesWithApp_2012>0 AND Retired!=TRUE "Organization Name"="*" "Level 01 Organization Name"="*" 
| dedup SoftwareName 
| eval label="_" 
| search Packaged_2016=TRUE 
| fillnull value="To_Be_Reviewed" Proven 
| eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) 
| eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) 
| eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) 
| search Proven="$trellis.value|u$"
| fields FriendlyName SoftwareName 2016Name

I'm a bit stumped as to why it isn't capturing the value from the trellis to use as the token.

Trellis drilldown issues when using token

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Trellis drilldown issues when using token

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem