Splunk Search

How to display fields that have a common value in a table?

clairebesson
Explorer

Hi everyone,

I have a file with serial numbers and purchase order numbers.

In a first table, I display a serial number and the corresponding purchase order. This table is the result of a drilldown. The user has clicked on a serial number on another page. The new page got the serial_token in an text input and displays the result in a table (serial number and purchase order number).

On the same page, in a second table, I want to display all the serial numbers that have the same purchase order as my first table.
I have no idea on how I can do the second table. Could you please help me with that?
Thanks,

0 Karma
1 Solution

somesoni2
Revered Legend

You would have to change the drilldown=cell to drilldown=row in your first table and change

/app/search/serialdetails?form.serial_number_token=$click.value2$&form.po_token=$row.po_token$

to

/app/search/serialdetails?form.serial_number_token=$row.Serial Number$&form.po_token=$row.PO$

View solution in original post

somesoni2
Revered Legend

You would have to change the drilldown=cell to drilldown=row in your first table and change

/app/search/serialdetails?form.serial_number_token=$click.value2$&form.po_token=$row.po_token$

to

/app/search/serialdetails?form.serial_number_token=$row.Serial Number$&form.po_token=$row.PO$

clairebesson
Explorer

thanks @somesoni2 it works perfectly.
If I add a third table from another source (source 2), is it possible to capture a value in this table?
Here is the query for the third table :
source="source2.csv" "Serial Number"=$serial_number_token$ “Location”=”*”>
It displays a table with the location of the serial number selected.
Is it possible to create another table that display all Serial Number in the same location (without click on the location value)?
I tried to add $row.Location$

0 Karma

somesoni2
Revered Legend

Same location as currently selected serial_number (token value $serial_number_token$) OR All location and all serial number?

0 Karma

clairebesson
Explorer

@somesoni2 same location as currently selected serial_number (serial_number_token)

0 Karma

clairebesson
Explorer

@somesoni2 any idea ?
I was thinking to do that in the search: "For a specific serial number, find other that have the same location as serial number selected" ...

0 Karma

somesoni2
Revered Legend

You can probably use subsearch to add location filter. Something like this (the subsearch get the location of selected Serial Number and add as filter to main search)

source="source2.csv"  [search source="source2.csv" source="source2.csv" "Serial Number"=$serial_number_token$ | table Location ] | table "Serial Number" Location
0 Karma

clairebesson
Explorer

thanks a lot !

0 Karma

clairebesson
Explorer

Thank you very much. It works perfectly !

frobinson_splun
Splunk Employee
Splunk Employee

Hi @clairebesson,
I'm a tech writer here at Splunk and I'd like to help with your question. I'm not 100% sure of the workflow you're describing here. It sounds like this to me:
1) text input for serial number captures serial_token
2) serial_token is passed to a page that displays serial numbers
3) user clicks on a serial number to drill down
4) drilldown displays a serial number + purchase order number in a table
And you'd like to add this:
5) another panel shows all serial numbers connected to the purchase order from the previous step.

I think what might work is to capture the purchase order in a token somewhere between step 3 and 4 here. Use that purchase order value in a search over your full data set that then generates the new (2nd) table showing all serial numbers that match the purchase order.

I would suggest taking a look at this documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Dynamicdrilldownindashboardsandforms
http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/tokens
http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/TokenReference

I hope this helps! Let me know either way and we can continue discussing.

All the best,
@frobinson_splunk

0 Karma

clairebesson
Explorer

Hi, thanks for your answer.
1) First dashboard:
- User clicks on serial number and go to other dashboard (second dashboard)
2) Second Dashboard:
- text input captures serial_token
- Table 1: Serial Number selected and PO
- Table 2: all serial numbers connected to the purchase order
alt text

I created a second text input to capture po_token:

<link target="Serial">/app/search/serialdetails?form.serial_number_token=$click.value2$&amp;form.po_token=$row.po_token$  </link>

But it didn't work... I don't know how to capture the PO value when I click on Serial Number...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...