Splunk Search

How to edit my XML to initialize tokens for a contextual drilldown to point to different tables?

kshanky143
Path Finder

I have 3 tables. I want 2 things here:
a) Click on Source 1, in Table 1, and Table 2 should show up
b) Click on Source 2, in Table 1, and Table 3 should show up

Table 1 (main table )
Input ------- Count
Source 1 ---- 2
Source 2 ---- 3

Table 2 (gives me info about Source 1)
Name ------- ErrorMessage
test1.xml ----- Bad XML file
test2.xml ----- No Source Found

Table 3 (gives me info about Source 2)
Name ------- ErrorMessage
test3.xml ----- No profile found
test4.xml ----- No profile found
test5.xml ----- No profile found

This is the XML i have. I have created 2 tokens Table2_TOKEN, and Table3_TOKEN. When clicked on the table it always shows the Table 2. How can i modify the xml to achieve what i want ?

<panel>
  <table>
    <title>Table1</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <drilldown>
      <set token="Table2_TOKEN">$click.value$</set>
      <set token="Table3_TOKEN">$click.name$</set>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table depends="$Table2_TOKEN$">
    <title>Table2</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
<panel>
  <table depends="$Table3_TOKEN$">
    <title>Table3</title>
    <searchString>bla bla bla</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
Tags (4)

Tanefo
Path Finder

hi,
see this xml file, it can help you

    <form>
    <label>In-Page Drilldown with Perma-linking</label>
    <fieldset submitButton="false">
    <!--
    Create an input to store the drilldown value. It will be hidden using custom javascript when
    the dashboard is loaded.
    -->
    <input type="text" token="sourcetype" searchWhenChanged="true" />
    </fieldset>
    <row>
    <table id="master">
    <title>Master</title>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-60m@m</earliestTime>
    <latestTime>now</latestTime>
    <!-- Set the type of of drilldown, since we will always consume the same field, use row-->
    <option name="drilldown">row</option>
    <drilldown>
    <!-- Use set to specify the new token to be created.
    Use any token from the page or from the click event to produce the value needed. -->
    <set token="sourcetype">$row.sourcetype$</set>
    <!-- If we also set the form.sourcetype the input will get updated too -->
    <set token="form.sourcetype">$row.sourcetype$</set>
    </drilldown>
    </table>
    </row>
    <row>
    <!-- depends is the way we tell the content to only show when the token has a value.
    Hint: use comma separated values if the element requires more than one token. -->
    <chart id="detail" depends="$sourcetype$">
    <title>Detail: $sourcetype$</title>
    <searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
    <earliestTime>-60m@m</earliestTime>
    <latestTime>now</latestTime>
    </chart>
    </row>
    </form>
0 Karma

kshanky143
Path Finder

Thanks Tanefo. I made some progress on this but still need some help. How can i take the row value pull up the chart ?

Taking the same example mentioned above ....
Table 1 (main table )
Input ------- Count
Source 1 ---- 2
Source 2 ---- 3

  <table>
    <title>TABLE1</title>
    <searchString>bla bla bla  Table Input, Count </searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <drilldown>
      <condition field="count">
          <set token="TABLE1_TOKEN">$click.name$</set> <!-- Value of TABLE1_TOKEN will be "Source1" -->
      </condition>
        <condition field="count">
            <set token="TABLE2_TOKEN">$click.name$</set> !-- Value of TABLE1_TOKEN will be "Source2 -->
      </condition>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>

So to pop up Table 2 can we do some thing like this ?

 <table depends="$Table2_TOKEN$"> <!--  should be like <table depends if("$Table2_TOKEN$"=="Source1")>     -->
 <title>Table2</title>
 <searchString>bla bla bla | Table Name, ErrorMesage</searchString>
 <earliestTime>$field1.earliest$</earliestTime>
 <latestTime>$field1.latest$</latestTime>
 <option name="wrap">true</option>
 <option name="rowNumbers">false</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="count">10</option>
<table>

Table 2 (gives me info about Source1)
Name ------- ErrorMessage
test1.xml ----- Bad XML file
test2.xml ----- No Source Found

similarly for Table 3, we should have our XML some thing like this

  <table depends="$Table3_TOKEN$"> <!--  should be like <table depends if("$Table3_TOKEN$"=="Source2")>     -->
 <title>Table3</title>
 <searchString>bla bla bla | Table Name, ErrorMesage</searchString>
 <earliestTime>$field1.earliest$</earliestTime>
 <latestTime>$field1.latest$</latestTime>
 <option name="wrap">true</option>
 <option name="rowNumbers">false</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="count">10</option>
<table>

Table 3 (gives me info about Source2)
Name ------- ErrorMessage
test3.xml ----- No profile found
test4.xml ----- No profile found
test5.xml ----- No profile found

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...