Splunk Search

How do I create a drilldown for a specific cell location (not cell value) in a table?

nick405060
Motivator

Hi there,

I read a bunch of related Splunk answers, but so far I haven't seen a solution posted to creating a drilldown for a specific cell location in a table, other than by relying on the cell value. If you think of it like an Excel spreadsheet:

.. A B C D E F
1
2
3
4
5

I need a drilldown on A2 only, not A1 or B2. It doesn't matter what the value of A2 is, clicking on that value needs to drilldown.

Thanks to xpac and rohit sharma2 for helping me out on this in the chatroom and mentioning click.value2 and row.field1, but looks like those don't quite offer a solution

0 Karma
1 Solution

niketn
Legend

Please try the following approach

Step 1: Add | streamstats count as sno after your current transforming command to get the row number for each table rows.
Step 2: Since you know all the possible field names and count remains five use <fields> Simple XML Table Configuration to keep only the required 5 columns (lets say field1, field2, field3, field4 and field5) and hide sno field which retains the table row number for drilldown.
Step 3: Use match condition with $click.name2$ to identify first field i.e. field1 and $row.sno$ to get the row number i.e. 2.

alt text

Please try the following run anywhere dashboard based on Splunk's _internal index which has only three columns for simplicity of example but it drills down to set token only if first column i.e. component and its corresponding value in the second row is clicked. Otherwise it remains unset.

PS: I have used tokens for Column and Row to test whether the drilldown is setting/unsetting the token as expected or not.

Following is run anywhere Simple XML Code for the Dashboard:

<dashboard>
  <label>Table First Column Second Row Drilldown</label>
  <row>
    <panel>
      <html>
        <div>tokClickedColumn: $tokClickedColumn$</div>
        <div>tokClickedRow= $tokClickedRow$</div>
        <div>tokFirstColumnSecondRowClicked: $tokFirstColumnSecondRowClicked$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| stats count by component log_level
| streamstats count as sno
| table sno *</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <fields>component,log_level,count</fields>
        <drilldown>
          <condition match="$click.name2$==&quot;component&quot; AND $row.sno$==&quot;2&quot;">
            <eval token="tokFirstColumnSecondRowClicked">case($row.sno$="2",$click.value2$)</eval>
            <!-- Debug Statements to capture Clicked Column and Row -->
            <set token="tokClickedRow">$row.sno$</set>
            <set token="tokClickedColumn">$click.name2$</set>
          </condition>
          <condition>
            <unset token="tokFirstColumnSecondRowClicked"></unset>
            <!-- Debug Statements to capture Clicked Column and Row -->
            <set token="tokClickedRow">$row.sno$</set>
            <set token="tokClickedColumn">$click.name2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

Please try the following approach

Step 1: Add | streamstats count as sno after your current transforming command to get the row number for each table rows.
Step 2: Since you know all the possible field names and count remains five use <fields> Simple XML Table Configuration to keep only the required 5 columns (lets say field1, field2, field3, field4 and field5) and hide sno field which retains the table row number for drilldown.
Step 3: Use match condition with $click.name2$ to identify first field i.e. field1 and $row.sno$ to get the row number i.e. 2.

alt text

Please try the following run anywhere dashboard based on Splunk's _internal index which has only three columns for simplicity of example but it drills down to set token only if first column i.e. component and its corresponding value in the second row is clicked. Otherwise it remains unset.

PS: I have used tokens for Column and Row to test whether the drilldown is setting/unsetting the token as expected or not.

Following is run anywhere Simple XML Code for the Dashboard:

<dashboard>
  <label>Table First Column Second Row Drilldown</label>
  <row>
    <panel>
      <html>
        <div>tokClickedColumn: $tokClickedColumn$</div>
        <div>tokClickedRow= $tokClickedRow$</div>
        <div>tokFirstColumnSecondRowClicked: $tokFirstColumnSecondRowClicked$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| stats count by component log_level
| streamstats count as sno
| table sno *</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <fields>component,log_level,count</fields>
        <drilldown>
          <condition match="$click.name2$==&quot;component&quot; AND $row.sno$==&quot;2&quot;">
            <eval token="tokFirstColumnSecondRowClicked">case($row.sno$="2",$click.value2$)</eval>
            <!-- Debug Statements to capture Clicked Column and Row -->
            <set token="tokClickedRow">$row.sno$</set>
            <set token="tokClickedColumn">$click.name2$</set>
          </condition>
          <condition>
            <unset token="tokFirstColumnSecondRowClicked"></unset>
            <!-- Debug Statements to capture Clicked Column and Row -->
            <set token="tokClickedRow">$row.sno$</set>
            <set token="tokClickedColumn">$click.name2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nick405060
Motivator

I'm trying this (copied and pasted into a new dash) and unfortunately the conditional statement isn't ever being met in Splunk 6.3. Even if I change it to just be

<condition match="$row.sno$==&quot;2&quot;">

it isn't being recognized as a match.

0 Karma

nick405060
Motivator

Yup, $row.sno$ is being evaluated to 0 if inside a conditional statement, both the conditional statement on line 27 and the one on line 28. Outside a conditional statement it works (evaluates to 2), e.g.:

<set token="tokClickedRow">$row.sno$</set>
0 Karma

nick405060
Motivator
0 Karma

niketn
Legend

@nick405060 if I understand the question.... Only if the cell value clicked in the table is value A2 you want to populate the same in text box?

Is it at a fixed column/row or can it be at any column/row location? Also can there be multiple value A2s in your table?

On a different note can you give a background of the use case, as to why only value A2 and what after populating in the text box? Are you planning to update some token and perform further activity/ies?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nick405060
Motivator

See edited post.

0 Karma

niketn
Legend

@nick405060 would you know all the field names i.e. A, B, C, D, E? Also would there be a fixed maximum number of fields i.e. 5 or more?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nick405060
Motivator

In my case, yes to both!

0 Karma

niketn
Legend

Would it be possible for you to share your drilldown code as to what you have tried? or else explain what is the drilldown action you need to perform? Like whether you just need the First Column Second Row value to be set as a token or is it drilldown link to launch a new Splunk Internal or External URL?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...