Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass multiselect token values from main dashboard A to drilldown dashboard B

mbasharat
Builder
‎09-16-2020 07:30 PM

Hi,

I have a simple multi-select filter as below on my main dashboard.

<input type="multiselect" token="projects" searchWhenChanged="false">
<label>Projects</label>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Projects</fieldForLabel>
<fieldForValue>Projects</fieldForValue>
<search base="sample">
<query>| search Organization="$organization$"
| stats dc(Projects) AS Total by Projects
| fields - Total</query>
</search>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>


When dashboard populates and users select Projects using multiselect filter above, it gives them a list of vulnerabilities affecting assets in selected projects. Now, when users click on one of the vulnerabilities of their choice, it takes them to drill down dashboard which has some more multi select filters including one like above.

What I need is when users go to drill down dashboard, I need selected Projects from main dashboard A to be transferred/applied to drill-down dashboard B.

Thanks in-advance.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-17-2020 09:34 AM

OK I understand - it is the good old passing multi value tokens which keeps cropping up. Try this:

<input type="multiselect" token="projects" searchWhenChanged="false">
<label>Projects</label>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Projects</fieldForLabel>
<fieldForValue>Projects</fieldForValue>
<search base="sample">
<query>| search Organization="$organization$"
| stats dc(Projects) AS Total by Projects
| fields - Total</query>
</search>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<change>
<eval token="drilldownmulti">mvjoin('form.projects',"&amp;form.drilldownmulti=")</eval>
</change>
</input>

Then in stats table panel:

<drilldown>
<link target="_blank">/app/yourapp/drilldown?form.drilldownmulti=$drilldownmulti|n$</link>
</drilldown>

Then in drilldown dashboard:

<input type="multiselect" token="drilldownmulti">
<label>Drilldown</label>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>

Things to note: "|n" at the end of the link, and no default to the drilldown multiselect and the should be at least 1 choice.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-17-2020 12:59 AM

I am not sure what you mean by transferred/applied. The multiselect can set up tokens in the change event that can be used elsewhere in the dashboard e.g. the drilldown target panel. Also, if you want the multiselect in the drilldown panel to be populated with the choices from the main multiselect you can do something like this

<input type="multiselect" token="projects" searchWhenChanged="false">
<label>Projects</label>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Projects</fieldForLabel>
<fieldForValue>Projects</fieldForValue>
<search base="sample">
<query>| search Organization="$organization$"
| stats dc(Projects) AS Total by Projects
| fields - Total</query>
</search>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<change>
<eval token="form.drilldownmulti">'form.projects'</eval>
</change>
</input>
<input type="multiselect" token="drilldownmulti">
<label>Drilldown</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎09-17-2020 06:49 AM

Hi @ ITWhisperer,

After looking at your code, what is mean to ask originally is:

  • There are two dashboards, Main Dashboard and Drilldown Dashboard.
  • Projects multiselect filter menus exist on both.
  • I have a stats table/panel on Main dashboard with drilldown enabled. This stats table/panel is dependent on Projects multiselect filter.
  • If there are multiple Project values selected in multiselect on Main Dashboard e.g. Project A, Project B, Project C then if I click my choice of row in a stats table/panel on Main Dashboard,  drilldown takes me to Drilldown Dashboard. When this drill down happens, I need selected Projects in multiselect menu filter on Main Dashboard to be passed over to Projects multiselect menu filter on Drill down dashboard with values Project A, Project B, Project C 

I hope I explained it clearly. Thanks in-advance!!! Awaiting response.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-17-2020 09:34 AM

OK I understand - it is the good old passing multi value tokens which keeps cropping up. Try this:

<input type="multiselect" token="projects" searchWhenChanged="false">
<label>Projects</label>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Projects</fieldForLabel>
<fieldForValue>Projects</fieldForValue>
<search base="sample">
<query>| search Organization="$organization$"
| stats dc(Projects) AS Total by Projects
| fields - Total</query>
</search>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<change>
<eval token="drilldownmulti">mvjoin('form.projects',"&amp;form.drilldownmulti=")</eval>
</change>
</input>

Then in stats table panel:

<drilldown>
<link target="_blank">/app/yourapp/drilldown?form.drilldownmulti=$drilldownmulti|n$</link>
</drilldown>

Then in drilldown dashboard:

<input type="multiselect" token="drilldownmulti">
<label>Drilldown</label>
<choice value="*">All</choice>
<prefix>Projects IN (</prefix>
<suffix>)</suffix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>

Things to note: "|n" at the end of the link, and no default to the drilldown multiselect and the should be at least 1 choice.

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎09-24-2020 12:07 PM

H @ ITWhisperer,

 

Quick question, for one filter which was my original ask, this solution works great. But when I have tried to use it with multiple filters for multiple fields to be passed, it is not. What am I missing pls? I did adjust the logic as in this solution for the rest. Thanks!!!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2020 01:22 PM

You haven't said what it was that you did for multiple dropdowns to be passed, or what didn't work, but assuming the other mv, let's call it othermulti, is setup a similar way, the difference in the drilldown url would be something like this

<drilldown>
<link target="_blank">/app/yourapp/drilldown?form.drilldownmulti=$drilldownmulti|n$&amp;form.othermulti=$othermulti|n$</link>
</drilldown>

 

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎09-29-2020 10:01 PM

Hi @ ITWhisperer,

So I used your method below,  made progress and multiselect started passing the value from multiselect filter from dashboard A and drilldown stats table panel to filters in dashboard B.  Now the issue is, the value that is selected on dashboard A is not the one that is getting transferred to dashboard B. A different value is getting passed which seems odd because the selected one needs to be passed over.

Here is my code snippet for the filters:

Dashboard A:

 

 

    <input type="dropdown" token="scantype" searchWhenChanged="false">
      <label>Scan Type</label>
      <fieldForLabel>Scan_Type</fieldForLabel>
      <fieldForValue>Scan_Type</fieldForValue>
      <search base="menus">
        <query>| stats dc(Scan_Type) AS Total by Scan_Type
| fields - Total</query>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
      <choice value="*">All</choice>
    </input>
    <input type="multiselect" token="resporg" searchWhenChanged="false">
      <label>Responsible Organization</label>
      <fieldForLabel>Responsible_Organization</fieldForLabel>
      <fieldForValue>Responsible_Organization</fieldForValue>
      <search base="menus">
        <query>| search Scan_Type="$scantype$"
| stats dc(Responsible_Organization) AS Total by Responsible_Organization
| fields - Total</query>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
      <choice value="*">All</choice>
      <prefix>Responsible_Organization IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="drilldownmultiorg">mvjoin('form.resporg',"&amp;form.drilldownmultiorg=")</eval>
      </change>
    </input>

 

 

Stats Panel A:

 

 

<drilldown>
<link target="_blank">/app/sample_app/drilldown_dashboard?form.cves=$row.CVE$&amp;form.scantype=$scantype$&amp;form.resporg=$drilldownmultiorg|n$</link>
</drilldown>

 

 

Dashboard B:

 

 

 <input type="text" token="cves">
      <label>Select CVE</label>
      <default>CVE-2015-6550</default>
      <initialValue>CVE-2015-6550</initialValue>
 </input>
 <input type="multiselect" token="plugin" searchWhenChanged="false">
      <label>Plugin ID/s</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>Plugin_ID</fieldForLabel>
      <fieldForValue>Plugin_ID</fieldForValue>
      <search base="vulninfo">
        <query>| search CVE="$cves$"
| stats dc(Plugin_ID) AS count BY Plugin_ID
| fields Plugin_ID</query>
      </search>
      <prefix>Plugin_ID IN (</prefix>
      <suffix>)</suffix>
      <delimiter>,</delimiter>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
    <input type="dropdown" token="scantype" searchWhenChanged="false">
      <label>Scan Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>Scan_Type</fieldForLabel>
      <fieldForValue>Scan_Type</fieldForValue>
      <search base="vulninfo">
        <query>| search CVE="$cves$" AND $plugin$
| stats dc(Scan_Type) AS count BY Scan_Type
| fields Scan_Type</query>
      </search>
</input>
    <input type="multiselect" token="drilldownmultiorg" searchWhenChanged="false">
      <label>Responsbile Organization</label>
      <choice value="*">All</choice>
      <fieldForLabel>KISAM_Responsible_Organization</fieldForLabel>
      <fieldForValue>KISAM_Responsible_Organization</fieldForValue>
      <search base="vulninfo">
        <query>| search CVE="$cves$" AND $plugin$ AND Scan_Type="$scantype$"
| stats dc(KISAM_Responsible_Organization) AS count BY KISAM_Responsible_Organization
| fields KISAM_Responsible_Organization</query>
</search>
      <prefix>KISAM_Responsible_Organization IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <initialValue>*</initialValue>
      <default>*</default>
    </input>

 

 

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 12:58 AM

Working from the bottom up, in Dashboard B, the multiselect may not need a search to populate it since we are passing in the values

    <input type="multiselect" token="drilldownmultiorg" searchWhenChanged="false">
      <label>Responsbile Organization</label>
      <choice value="*">All</choice>
      <prefix>KISAM_Responsible_Organization IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <initialValue>*</initialValue>
      <default>*</default>
    </input>

The stats panel drilldown in Dashboard A needs to pass the values to form.drilldownmultiorg

<drilldown>
<link target="_blank">/app/sample_app/drilldown_dashboard?form.cves=$row.CVE$&amp;form.scantype=$scantype$&amp;form.drilldownmultiorg=$drilldownmultiorg|n$</link>
</drilldown>

 In all cases, your queries to populate the dropdowns can be simplified to remove the stats, for example

        <query>| dedup Scan_Type | fields Scan_Type</query>

 

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎09-30-2020 05:48 AM

dedup does not work for me because I am dealing with a lot of data and stats runs the fastest.

The drilldown dashboard is also used as an individual dashboard.

USing your approach, tokens do get transferred now. The problem is if a value A is selected on dashboard A, filter logic is passing on value C or D. There is something in |n logic or something else causing this which I am not getting.  

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎09-27-2020 10:27 AM

Hi @ ITWhisperer,

Sorry, I was away from home. Will be posting my code snippet for filters today. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...