Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Drilldown with $click$ values not working

bowesmana
SplunkTrust
SplunkTrust
‎05-06-2017 03:39 PM

I have a dashboard where I display a list of wines. I want to be able to incrementally add the wine name to a search criteria so the user can select the wines they are interested in. The wine name field is "Description", so I have the query like

index=... $wines$

$wines$ is unset the first time around and this drilldown will work for the first click

<set token="wines">$click.name2$=$click.value2|s$</set>

which sets Description="wine", depending on the click, but of course this overwrites $wines$ each click. In order to build up the criteria I tried using eval/if

I tried

<eval token="wines">if(match($wines$, "Description"), "AlreadySet", "$click.name2$"="$click.value2|s$")</eval>

but this results in $wines$ being 'false'.

I know that if I just put "XX" in the else part of the if, it returns that. I have tried no quotes, double $ sign and so, but I can't make it work. I also tried elements with no luck.

Any ideas on how I can achieve what I want, i.e. to ultimately get

Description="Wine 1" OR Description="Wine 2" OR Description="Wine 3"...

like a standard multi select dropdown. I'm not using that multi select as it's too slow - there are 10,000 wines...

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2017 06:24 PM

I solved my original problem with the following

<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set

and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

Would still be nice to understand why I couldn't get it to work with to eval statement.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2017 06:24 PM

I solved my original problem with the following

<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set

and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

Would still be nice to understand why I couldn't get it to work with to eval statement.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-07-2017 06:28 AM

I did something similar when I needed to search tens-of-thousands of software packages. I used 2 controls instead of one. The unusual control was a RegEx based pre-filter on the main multi-select control:

<label>Demo for whittling down a HUGE selection list to manageable chunk</label>
<description>This is not the exact answer that you were seeking, but may be a good alternative</description>
<fieldset autorun="false" submitButton="true">
  <input type="text" token="filter_token" searchWhenChanged="false">
    <label>RegEx filter for Wine Dropdown --&gt;</label>
    <default>.</default>
  </input>
  <input type="dropdown" token="wine_token" searchWhenChanged="false">
    <label>(&lt;-- filtered) Wine Selector:</label>
    <default>*</default>
    <choice value="*">All</choice>
    <fieldForLabel>wine</fieldForLabel>
    <fieldForValue>wine</fieldForValue>
    <search>
      <query>| inputcsv winelist.csv | regex wine="(?i)$filter_token$" | table wine</query>
      <earliest>-1s</earliest>
      <latest>now</latest>
    </search>
  </input>
</fieldset>

The really nice thing about this is that it very natural and only the geeks who grok RegEx need to know it is RegEx under the hood; the plebes will just type white and it will "just work". They will need to be taught to do red|white and that will be good for 90+% of all users/searches and for those who need more, you get to geek mentor them into RegEx.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2017 03:12 AM

I like this as a cool idea. I've got a couple of filters, but was wondering how to make them more powerful as they are currently just raw text strings, so supporting regex would be really neat.

I solved my original problem with the following 

 <set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
 <set token="wines">$wines$ OR $query$</set>

and initially set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-08-2017 05:50 PM

You should convert your comment to an answer and click Accept to close the question.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2017 06:26 PM

Duh! I didn't see the wheel to convert to answer... but thanks anyway for your regex stuff. Handy!

0 Karma
Reply
Solved! Jump to solution

puneethgowda
Communicator
‎05-07-2017 05:50 AM

New version has drill down in UI that would help you

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-07-2017 05:48 AM

Why is multi select too slow? That's the way to do it in Splunk in my humble opion. what search did you use to populate multiselect?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2017 03:08 AM

The problem is that it's an AWS t2 micro instance 😞 and can't cope with the 10k results, just locks up the browser.

index=... sourcetype=...
| stats count by Description
| sort Description

I've used them many times before and you're right, it's the normal way to go. As to "why..." - my performance analysis of Splunk is not great - other than the golden rule of never use "transaction or join" 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...