Splunk Search

How to display a table based on a clicked value of another table?

sh254087
Communicator

I have a table with 1 column and 6 rows which I'll be changing to 1 row and 6 columns using transpose and eventually hide the header using CSS, such that I only have a row of 6 different values, say - A, B, C, D, E, F.

I want to display details related to each of those 6 values based on what value is clicked. The query for each of those 6 values are different and hence I have placed them in separate tables, something like - TableA, TableB,...,TableF. 

I have come across <condition/> option but I'm not able to make out how I can use that in this scenario.

Any leads in achieving this will be of great help.

Labels (4)
Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sh254087 

Can you please try this?

<dashboard version="1.1">
  <label>Dynamic Depends</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval F="A,B,C,D,E,F",F=split(F,",") 
| mvexpand F 
| eval H=F 
| table H F 
| transpose header_field=H 
| fields - column</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="$click.value2$==&quot;A&quot;">
            <set token="panel_A">$click.value2$</set>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;B&quot;">
            <set token="panel_B">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;C&quot;">
            <set token="panel_C">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;D&quot;">
            <set token="panel_D">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;E&quot;">
            <set token="panel_E">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;F&quot;">
            <set token="panel_F">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  
  <row>
    <panel depends="$panel_A$">
      <title>Panel A</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_A$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_B$">
      <title>Panel B</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_B$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_C$">
      <title>Panel C</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_C$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_D$">
      <title>Panel D</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_D$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_E$">
      <title>Panel E</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_E$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_F$">
      <title>Panel F</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_F$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

sh254087
Communicator

Is there a way that I can accept two solutions?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can only accept one, but you accepted the right one 😁

0 Karma

sh254087
Communicator

@kamlesh_vaghela KV, Thank you very much for putting an effort into sharing this. It is in detail and very helpful. It just works the way I wanted it to. Thank you very much, again. Appreciate it.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You don't actually need the <condition> block, as you can set/unset tokens with an <eval> token setting method, i.e. using @kamlesh_vaghela example, you can replace the entire condition block with

        <drilldown>
          <eval token="panel_A">if($click.value2$="A","true",null())</eval>
          <eval token="panel_B">if($click.value2$="B","true",null())</eval>
          <eval token="panel_C">if($click.value2$="C","true",null())</eval>
          <eval token="panel_D">if($click.value2$="D","true",null())</eval>
          <eval token="panel_E">if($click.value2$="E","true",null())</eval>
          <eval token="panel_F">if($click.value2$="F","true",null())</eval>
        </drilldown>

Using an IF clause in the eval and setting the token to null() for the false case will unset the corresponding token

sh254087
Communicator

@bowesmana Thank you too, for the refining tip. tried this and this as well worked perfectly. thank you very much, again. Appreciate it.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sh254087 

Can you please try this?

<dashboard version="1.1">
  <label>Dynamic Depends</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval F="A,B,C,D,E,F",F=split(F,",") 
| mvexpand F 
| eval H=F 
| table H F 
| transpose header_field=H 
| fields - column</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="$click.value2$==&quot;A&quot;">
            <set token="panel_A">$click.value2$</set>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;B&quot;">
            <set token="panel_B">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;C&quot;">
            <set token="panel_C">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;D&quot;">
            <set token="panel_D">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;E&quot;">
            <set token="panel_E">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;F&quot;">
            <set token="panel_F">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  
  <row>
    <panel depends="$panel_A$">
      <title>Panel A</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_A$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_B$">
      <title>Panel B</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_B$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_C$">
      <title>Panel C</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_C$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_D$">
      <title>Panel D</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_D$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_E$">
      <title>Panel E</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_E$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_F$">
      <title>Panel F</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_F$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...