Splunk Search

How to display a table based on a clicked value of another table?

sh254087
Communicator

I have a table with 1 column and 6 rows which I'll be changing to 1 row and 6 columns using transpose and eventually hide the header using CSS, such that I only have a row of 6 different values, say - A, B, C, D, E, F.

I want to display details related to each of those 6 values based on what value is clicked. The query for each of those 6 values are different and hence I have placed them in separate tables, something like - TableA, TableB,...,TableF. 

I have come across <condition/> option but I'm not able to make out how I can use that in this scenario.

Any leads in achieving this will be of great help.

Labels (4)
Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sh254087 

Can you please try this?

<dashboard version="1.1">
  <label>Dynamic Depends</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval F="A,B,C,D,E,F",F=split(F,",") 
| mvexpand F 
| eval H=F 
| table H F 
| transpose header_field=H 
| fields - column</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="$click.value2$==&quot;A&quot;">
            <set token="panel_A">$click.value2$</set>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;B&quot;">
            <set token="panel_B">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;C&quot;">
            <set token="panel_C">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;D&quot;">
            <set token="panel_D">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;E&quot;">
            <set token="panel_E">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;F&quot;">
            <set token="panel_F">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  
  <row>
    <panel depends="$panel_A$">
      <title>Panel A</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_A$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_B$">
      <title>Panel B</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_B$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_C$">
      <title>Panel C</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_C$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_D$">
      <title>Panel D</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_D$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_E$">
      <title>Panel E</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_E$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_F$">
      <title>Panel F</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_F$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

sh254087
Communicator

Is there a way that I can accept two solutions?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can only accept one, but you accepted the right one 😁

0 Karma

sh254087
Communicator

@kamlesh_vaghela KV, Thank you very much for putting an effort into sharing this. It is in detail and very helpful. It just works the way I wanted it to. Thank you very much, again. Appreciate it.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You don't actually need the <condition> block, as you can set/unset tokens with an <eval> token setting method, i.e. using @kamlesh_vaghela example, you can replace the entire condition block with

        <drilldown>
          <eval token="panel_A">if($click.value2$="A","true",null())</eval>
          <eval token="panel_B">if($click.value2$="B","true",null())</eval>
          <eval token="panel_C">if($click.value2$="C","true",null())</eval>
          <eval token="panel_D">if($click.value2$="D","true",null())</eval>
          <eval token="panel_E">if($click.value2$="E","true",null())</eval>
          <eval token="panel_F">if($click.value2$="F","true",null())</eval>
        </drilldown>

Using an IF clause in the eval and setting the token to null() for the false case will unset the corresponding token

sh254087
Communicator

@bowesmana Thank you too, for the refining tip. tried this and this as well worked perfectly. thank you very much, again. Appreciate it.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sh254087 

Can you please try this?

<dashboard version="1.1">
  <label>Dynamic Depends</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval F="A,B,C,D,E,F",F=split(F,",") 
| mvexpand F 
| eval H=F 
| table H F 
| transpose header_field=H 
| fields - column</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="$click.value2$==&quot;A&quot;">
            <set token="panel_A">$click.value2$</set>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;B&quot;">
            <set token="panel_B">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;C&quot;">
            <set token="panel_C">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;D&quot;">
            <set token="panel_D">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_E"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;E&quot;">
            <set token="panel_E">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_F"></unset>
          </condition>
          <condition match="$click.value2$==&quot;F&quot;">
            <set token="panel_F">$click.value2$</set>
            <unset token="panel_A"></unset>
            <unset token="panel_B"></unset>
            <unset token="panel_C"></unset>
            <unset token="panel_D"></unset>
            <unset token="panel_E"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  
  <row>
    <panel depends="$panel_A$">
      <title>Panel A</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_A$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_B$">
      <title>Panel B</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_B$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_C$">
      <title>Panel C</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_C$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_D$">
      <title>Panel D</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_D$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_E$">
      <title>Panel E</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_E$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$panel_F$">
      <title>Panel F</title>
      <table>
        <search>
          <query>| makeresults | eval Message="This is flag $panel_F$"</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...