Splunk Search

How to edit my XML to initialize tokens for a contextual drilldown to point to different tables?

kshanky143
Path Finder

I have 3 tables. I want 2 things here:
a) Click on Source 1, in Table 1, and Table 2 should show up
b) Click on Source 2, in Table 1, and Table 3 should show up

Table 1 (main table )
Input ------- Count
Source 1 ---- 2
Source 2 ---- 3

Table 2 (gives me info about Source 1)
Name ------- ErrorMessage
test1.xml ----- Bad XML file
test2.xml ----- No Source Found

Table 3 (gives me info about Source 2)
Name ------- ErrorMessage
test3.xml ----- No profile found
test4.xml ----- No profile found
test5.xml ----- No profile found

This is the XML i have. I have created 2 tokens Table2_TOKEN, and Table3_TOKEN. When clicked on the table it always shows the Table 2. How can i modify the xml to achieve what i want ?

<panel>
  <table>
    <title>Table1</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <drilldown>
      <set token="Table2_TOKEN">$click.value$</set>
      <set token="Table3_TOKEN">$click.name$</set>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table depends="$Table2_TOKEN$">
    <title>Table2</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
<panel>
  <table depends="$Table3_TOKEN$">
    <title>Table3</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
Tags (4)

Tanefo
Path Finder

hi,
see this xml file, it can help you

    <form>
    <label>In-Page Drilldown with Perma-linking</label>
    <fieldset submitButton="false">
    <!--
    Create an input to store the drilldown value. It will be hidden using custom javascript when
    the dashboard is loaded.
    -->
    <input type="text" token="sourcetype" searchWhenChanged="true" />
    </fieldset>
    <row>
    <table id="master">
    <title>Master</title>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-60m@m</earliestTime>
    <latestTime>now</latestTime>
    <!-- Set the type of of drilldown, since we will always consume the same field, use row-->
    <option name="drilldown">row</option>
    <drilldown>
    <!-- Use set to specify the new token to be created.
    Use any token from the page or from the click event to produce the value needed. -->
    <set token="sourcetype">$row.sourcetype$</set>
    <!-- If we also set the form.sourcetype the input will get updated too -->
    <set token="form.sourcetype">$row.sourcetype$</set>
    </drilldown>
    </table>
    </row>
    <row>
    <!-- depends is the way we tell the content to only show when the token has a value.
    Hint: use comma separated values if the element requires more than one token. -->
    <chart id="detail" depends="$sourcetype$">
    <title>Detail: $sourcetype$</title>
    <searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
    <earliestTime>-60m@m</earliestTime>
    <latestTime>now</latestTime>
    </chart>
    </row>
    </form>
0 Karma

kshanky143
Path Finder

Thanks Tanefo. I made some progress on this but still need some help. How can i take the row value pull up the chart ?

Taking the same example mentioned above ....
Table 1 (main table )
Input ------- Count
Source 1 ---- 2
Source 2 ---- 3

  <table>
    <title>TABLE1</title>
    <searchString>bla bla bla  Table Input, Count </searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <drilldown>
      <condition field="count">
          <set token="TABLE1_TOKEN">$click.name$</set> <!-- Value of TABLE1_TOKEN will be "Source1" -->
      </condition>
        <condition field="count">
            <set token="TABLE2_TOKEN">$click.name$</set> !-- Value of TABLE1_TOKEN will be "Source2 -->
      </condition>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>

So to pop up Table 2 can we do some thing like this ?

 <table depends="$Table2_TOKEN$"> <!--  should be like <table depends if("$Table2_TOKEN$"=="Source1")>     -->
 <title>Table2</title>
 <searchString>bla bla bla | Table Name, ErrorMesage</searchString>
 <earliestTime>$field1.earliest$</earliestTime>
 <latestTime>$field1.latest$</latestTime>
 <option name="wrap">true</option>
 <option name="rowNumbers">false</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="count">10</option>
<table>

Table 2 (gives me info about Source1)
Name ------- ErrorMessage
test1.xml ----- Bad XML file
test2.xml ----- No Source Found

similarly for Table 3, we should have our XML some thing like this

  <table depends="$Table3_TOKEN$"> <!--  should be like <table depends if("$Table3_TOKEN$"=="Source2")>     -->
 <title>Table3</title>
 <searchString>bla bla bla | Table Name, ErrorMesage</searchString>
 <earliestTime>$field1.earliest$</earliestTime>
 <latestTime>$field1.latest$</latestTime>
 <option name="wrap">true</option>
 <option name="rowNumbers">false</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="count">10</option>
<table>

Table 3 (gives me info about Source2)
Name ------- ErrorMessage
test3.xml ----- No profile found
test4.xml ----- No profile found
test5.xml ----- No profile found

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...