- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Drilldown from lookup populated dropdown
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard dropdown that I'm populating with "groups" from a lookup "group_ip_host". The idea is to have the user choose a group that takes the user, carrying the $group_tok$, to another dashboard that is generic to any group and does stuff based on the value of $group_tok$.
The dropdown is populating. I can see $group_tok$ being populated in the URL bar (notenoughkarmatopostalink/rpa_clone?form.group_tok=HR). I have verified that the "drilldown" dashboard is available and works given a $group_tok$, but making the selection on the top level dash doesn't take you to the drilldown. Here's my fieldset, what am I missing?
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="group_tok" searchWhenChanged="true">
<label>Bot Category</label>
<search>
<query>
| inputlookup group_ip_host
| dedup group
| table group
</query>
</search>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<change>
<condition label="group">
<link target="_blank">
<![CDATA[/app/XXXXX/drilldown1?group=$group_tok$]]>
</link>
</condition>
</change>
</input>
</fieldset>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richkappler
Please check this
<form>
<label>navigation</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="group_tok" searchWhenChanged="true">
<label>Bot Category</label>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<change>
<condition label="group">
<link target="_blank">
<![CDATA[/app/search/seconddashboard?form.param=$group_tok$]]>
</link>
</condition>
</change>
<choice value="group">group</choice>
</input>
</fieldset>
</form>
Second dashboard:
<form>
<label>seconddashboard</label>
<fieldset submitButton="false">
<input type="text" token="param">
<label>Dropdown Value</label>
</input>
</fieldset>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further information: @vnravikumar - running your code as written does indeed work as a standalone, however, when I add in the search to populate the lookup instead of hardcoding choice, it does not work. Here are the 2 pieces of xml:
This works:
<form>
<label>navigation</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="group_tok" searchWhenChanged="true">
<label>Bot Category</label>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<change>
<condition label="group">
<link target="_blank">
drilldown1?form.param=$group_tok$
</link>
</condition>
</change>
<choice value="group">group</choice>
</input>
</fieldset>
</form>
This does NOT work:
<form>
<label>navigation</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="group_tok" searchWhenChanged="true">
<label>Bot Category</label>
<!-- Dynamic definition of choices -->
<search>
<query>
| inputlookup group_ip_host
| dedup group
| table group
</query>
</search>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<change>
<condition label="group">
<link target="_blank">
drilldown1?form.param=$group_tok$
</link>
</condition>
</change>
</input>
</fieldset>
</form>
You will please note that the only difference is choice is removed and the search is added. As before, I can see, in the url bar, that the $group_tok$ is picking up the dropdown selection, but the new tab is not opening. The search is not providing a choice to the change stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richkappler
Please check this
<form>
<label>navigation</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="group_tok" searchWhenChanged="true">
<label>Bot Category</label>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<change>
<condition label="group">
<link target="_blank">
<![CDATA[/app/search/seconddashboard?form.param=$group_tok$]]>
</link>
</condition>
</change>
<choice value="group">group</choice>
</input>
</fieldset>
</form>
Second dashboard:
<form>
<label>seconddashboard</label>
<fieldset submitButton="false">
<input type="text" token="param">
<label>Dropdown Value</label>
</input>
</fieldset>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see and understand the changes that you suggested, though I'm confused as to why there are 2 forms on one page, am I missing something?
Regardless, this did not work. the group only added, as one would expect, a choice of "group" to the dropdown, which I do not want.
The search is not in your code, so there is nothing to populate the dropdown with except the above-mentioned "group"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated above, the second form is another dashboard. I had created under the search app. For sample purpose, I had added only one value to dropdown as group.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This did not work. I've built literally dozens of drilldowns to dashboards that read an pass tokens, this is the first time I have populated the dropdown with a lookup, I don't know if that's relevant. It would appear that the $group_tok$ that is being generated by making a choice from the dropdown is not being passed to the stanza. Can't figure out why. If I hard code it, it works, even passing tokens from the dropdown to and from one dash to another.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
missing from above: for some reason the xml phrase I put in did not publish, should have read -> "making a choice from the dropdown is not beingpassed to the change stanza" and "passing tokens from the dropdown to change and from one dash to another."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with
<change>
<condition>
<link target="_blank">
<![CDATA[/app/XXXXX/drilldown1?group=$group_tok$]]>
</link>
</condition>
</change>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with condition like above and let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, that was the original non-working code I posted. Tried again just to be sure, makes no difference. I had verified the functionality of not using CDATA before I posted it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remove label="group" in condition tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Winner Winner Chicken Dinner, that did the trick, thank you!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
