Solved: Passing token value to another dashboard

smanojkumar · ‎10-13-2023

Hi There!

I'm having the dropdown "office" in dashboard 1 as a multiselect (full office, half office), based on the selection it should display the results in dashboard 1,

In the dashboard 1, I have a pie chart, If i click the pie chart It need to take to dashboard 2 which consists of same dropdown "office" as multiselect (full office, half office, non-compliant office),

If in case I'm clicking pie chart of dashboard 1 when office value is full office, half office, if should shows the same in dashboard 2 and in dashboard 2 has some panels, its should the using the value.
I had configured the link already, the problem is if we are adding prefix value as " and postfix " and delimiter , it will pass the same to next dashboard 2 dropdown, so that I didn't get the result of panels in dashboard 2.

I need solution for this?

Thanks,
Manoj Kumar S

danspav · ‎10-26-2023

Hi @smanojkumar,

I think you're almost there!

The last step is to prevent url encoding of the token. In my example I put the link directly in an <html> block so this step wasn't necessary. But if you're using the drilldown option from a visualisation, you'll need to make sure Splunk doesn't encode the URL for you.

To do that you can use this format: $office_filter_drilldown|n$

Change your drilldown section to resemble something like this:

<drilldown>
<link target="_blank">antivirus_details?form.compliance_filter=$click.value$&amp;$office_filter_drilldown|n$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link>
</drilldown>

That way Splunk won't try to encode any characters in the token, giving you the correct URL.

There are a few different filters available for tokens:

Filter Description

Wrap value in quotes $token_name\|s$	Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format $token_name\|h$	Ensures that the token value is valid for HTML formatting. Token values for the <HTML> element use this filter by default.
URL format $token_name\|u$	Ensures that the token value is valid to use as a URL. Token values for the <link> element use this filter by default.
Specify no character escaping $token_name\|n$	Prevents the default token filter from running. No characters in the token are escaped.

See more info on Splunk docs

Give that a go and see how you get on.

Cheers,
Daniel

View solution in original post

danspav · ‎10-24-2023

Hi @smanojkumar,

Here's a sample dashboard that has a multi-select with prefix/suffix values, and a second token that you can append to drill-downs.

Save the dashboard as "send_multi_value_token_drilldown"

<form version="1.1">
  <label>Send Multi Value Token Drilldown</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="multi" searchWhenChanged="true">
      <label>Multiselect</label>
      <choice value="val1">key1</choice>
      <choice value="val2">key2</choice>
      <choice value="val3">key3</choice>
      <choice value="val4">key4</choice>
      <choice value="val5">key5</choice>
      <default>val1</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <initialValue>val1</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="drilldown">replace('form.multi',"([^,]+),?","&amp;form.multi=$1")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token Values</title>
      <html>
        <h1>Token: $multi$</h1>
      <h1>Drildown Token: $drilldown$</h1>
      
      <a href="send_multi_value_token_drilldown?$drilldown$" target="_BLANK">Drilldown</a>
      </html>
    </panel>
  </row>
</form>

The trick here is in the <change> event on the multiselect. Each time you change the value of the dropdown, it creates a new token with the $form.multi$ token rather than just using $multi$:

<eval token="drilldown">replace('form.multi',"([^,]+),?","&form.multi=$1")</eval>

Try changing the values and then click on the "drilldown" link. You will see the same dashboard load in a new window with the same values pre-selected.

On your dashboard, just add the $drilldown$ token to your dashboard, and it will propagate the values.

Cheers,
Daniel

bowesmana · ‎10-25-2023

@danspav for some reason the comma is not removed from the token, so it becomes

form.multi=val1,&form.multi=val2

and therefore in the receiving dashboard, it gets the first multi value as val1,

not quite sure why that regex keeps the comma

danspav · ‎10-25-2023

Doh! that will teach me for not testing. I'm sure that dashboard worked on an earlier version of Splunk, but you're right, it keeps those pesky commas.

Here's an updated version with two key changes:

I've set up the drilldown token to have a value when the dashboard first loads - in case you click the drilldown link before you've changed the dropdown.
The regex is fine - but the token seems to be treated like a multivalue field - so I've simply concatenated an empty string to it: $form.multi$ + "" - this tricks Splunk into treating it like a normal string.

<form version="1.1">
  <init>
    <set token="drilldown">form.multi=val1</set>
  </init>
  <label>Send Multi Value Token Drilldown</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="multi" searchWhenChanged="true">
      <label>Multiselect</label>
      <choice value="val1">key1</choice>
      <choice value="val2">key2</choice>
      <choice value="val3">key3</choice>
      <choice value="val4">key4</choice>
      <choice value="val5">key5</choice>
      <default>val1</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <initialValue>val1</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="drilldown">replace($form.multi$ + "","([^,]+),?","&amp;form.multi=$1")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token Values</title>
      <html>
        <h1>Token: $multi$</h1>
      <h1>Drildown Token: $drilldown$</h1>
      <a href="send_multi_value_token_drilldown?$drilldown$" target="_BLANK">Drilldown</a>
      </html>
    </panel>
  </row>
</form>

I think that version should work - tested on a Splunk Cloud instance.

Cheers,
Daniel

smanojkumar · ‎10-26-2023

Hi @danspav/ @bowesmana ,
Thanks for your response,
I has tried this way, still getting different values in URL

Here is my URL after selection of pie chart,
&%26form.office_filter%3DFront%20Office=&

I'm getting %26, %3D instead for = , %20 instead of space

i had tried this way in actual info,

<input type="multiselect" token="office_filter" searchWhenChanged="true">
<label>Front/Back office</label>
<choice value="Front Office">Front Office</choice>
<choice value="Back Office">Back Office</choice>
<default>Front Office</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>Front Office</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>,</delimiter>
<change>
<eval token="office_filter_drilldown">replace($form.office_filter$ + "","([^,]+),?","&amp;form.office_filter=$1")</eval>
</change>
</input>

<drilldown>
<link target="_blank">/app/antivirus_details?form.compliance_filter=$click.value$&amp;$office_filter_drilldown$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link>
</drilldown>

Can you please ensure this!

Thanks!
Manoj Kumar S

danspav · ‎10-26-2023

Hi @smanojkumar,

I think you're almost there!

The last step is to prevent url encoding of the token. In my example I put the link directly in an <html> block so this step wasn't necessary. But if you're using the drilldown option from a visualisation, you'll need to make sure Splunk doesn't encode the URL for you.

To do that you can use this format: $office_filter_drilldown|n$

Change your drilldown section to resemble something like this:

<drilldown>
<link target="_blank">antivirus_details?form.compliance_filter=$click.value$&amp;$office_filter_drilldown|n$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link>
</drilldown>

That way Splunk won't try to encode any characters in the token, giving you the correct URL.

There are a few different filters available for tokens:

Filter Description

Wrap value in quotes $token_name\|s$	Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format $token_name\|h$	Ensures that the token value is valid for HTML formatting. Token values for the <HTML> element use this filter by default.
URL format $token_name\|u$	Ensures that the token value is valid to use as a URL. Token values for the <link> element use this filter by default.
Specify no character escaping $token_name\|n$	Prevents the default token filter from running. No characters in the token are escaped.

See more info on Splunk docs

Give that a go and see how you get on.

Cheers,
Daniel

smanojkumar · ‎10-26-2023

Hi @danspav ,
Thanks for your response!

It works, Thanks for your brief and clear explanation. It means a lots.

Thanks!
Manoj Kumar S

Passing token value to another dashboard

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?