Solved: Re: Get only one value on drilldown for multiple v...

SirHill17 · ‎10-25-2017

Hi,
I am trying to give cell value using drilldown as parameter to another dashboard. Below is how I have defined it:

The source is a XML file containing multiple values for the same category. The output is a table, meaining some column contain a single value and some others multiple. So what I am trying to do it when clicking on a cell which contains multiple value I only want to have one value and not all.

I tried to use:

$row.MyField$
$click.value$
$cell.value$

But I didn't find any one working for my case.

Does anyone can help with that?

Thanks!

niketn · ‎10-25-2017

@SirHill17, please try $click.value2$ in the drilldown code

     <drilldown target="_blank">
       <condition field="dev_name">
          <link>
           <![CDATA[/app/myapp/mydashboard?form.var_symid=$row.symid$&form.var_device=$click.value2$&earliest=0&latest=]]>
         </link>
       </condition>
     </drilldown>

Just curious, if you are only interested in symid and dev_name and dev_name is the only multivalue field in your table, can you try the following to convert from multi value to single value?

  <YourBaseSearch>
 |  table symid dev_name
 |  mvexpand dev_name

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎10-25-2017

@SirHill17, please try $click.value2$ in the drilldown code

     <drilldown target="_blank">
       <condition field="dev_name">
          <link>
           <![CDATA[/app/myapp/mydashboard?form.var_symid=$row.symid$&form.var_device=$click.value2$&earliest=0&latest=]]>
         </link>
       </condition>
     </drilldown>

Just curious, if you are only interested in symid and dev_name and dev_name is the only multivalue field in your table, can you try the following to convert from multi value to single value?

  <YourBaseSearch>
 |  table symid dev_name
 |  mvexpand dev_name

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SirHill17 · ‎10-25-2017

Actually not. I have others fields which would require the same. Is there not any other command that make the trick like mvexpand but for multiple fields?

niketn · ‎10-25-2017

@SirHill17, First off, I fill $click.value2$ should work even with Multi Valued Fields. Please refer to the Splunk documentation for difference between $click.value$ and $click.value2$ : http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

you can use mvzip() to stitch two multivalued fields together with a delimeter (default is comma) and then cascade mvzip() to have several multivalues sticked together. Then you can apply mvexpand to make all of them single value at the same time. In order to get back all the fields you will have to use split() with delimeter and followed by mvindex() function to pull specific fields based on their index.

Following is an example based on sample data provided:

<YourBaseSearch>
| rename SymCLI_ML.Symmetrix.Symm_Info.* as * 
| rename SymCLI_ML.Symmetrix.Device.Dev_Info.* as * 
| eval data=mvzip(dev_name,mvzip(configuration,rdfa_backed,","),",")
| table data
| mvexpand data
| eval data=split(data,",")
| eval dev_name=mvindex(data,0)
| eval configuration=mvindex(data,1)
| eval rdfa_backed=mvindex(data,2)
| table dev_name configuration rdfa_backed

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SirHill17 · ‎10-25-2017

Great ! $click.value2$ works!

Thanks for your help @niketnilay

niketn · ‎10-25-2017

@SirHill17, glad it worked. Do try out the example to convert all multi-valued fields to Single value, if that is your use case. Please let me know if it does not work and up vote if it does 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎10-25-2017

@SirHill17, can you please add the Table with Multiple Values Column Field Name and sample multi-value data. Also when you want to select one, is it first one or specific that you click?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SirHill17 · ‎10-25-2017

So the XML file looks like that:

<?xml version="1.0" standalone="yes" ?>
<SymCLI_ML>
  <Symmetrix>
    <Symm_Info>
      <symid>0000000001</symid>
    </Symm_Info>
    <Device>
      <Dev_Info>
        <dev_name>00001</dev_name>
        <configuration>RDF1+TDEV</configuration>
        <rdfa_backed>True</rdfa_backed>
      </Dev_Info>
    </Device>
    <Device>
      <Dev_Info>
        <dev_name>00002</dev_name>
        <configuration>RDF1+TDEV</configuration>
        <rdfa_backed>True</rdfa_backed>
      </Dev_Info>
    <Device>
  </Symmetrix>
</SymCLI_ML>

The table like that:

Row Number   symid               dev_name
1                  0000000001    00001
                                 00002

So I would like to have the value of the device when clicking on it, when I only use the default Cell drilldown it works fine, but when I want to give the value as a parameter to another dashboard using below command it gives both values:

<drilldown target="_blank">
   <link name="Device Name">
    <![CDATA[/app/myapp/mydashboard?form.var_symid=$row.symid$&form.var_device=$row.dev_name$&earliest=0&latest=]]>
  </link>
</drilldown>

Get only one value on drilldown for multiple values in a cell

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes