Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing values to another dashboard and using the same in search

smanojkumar
Contributor
‎10-17-2023 01:11 AM

Hi There!
   I need to pass a token form one dashboard to another dashboard when clicking its pie chart
 Input in dashboard 1

</input>
<input type="multiselect" token="choose_office" searchWhenChanged="true">
<label>Front/Back office</label>
<choice value="Front Office">Front Office</choice>
<choice value="Back Office">Back Office</choice>
<initialValue>Front Office,Back Office</initialValue>
<default>Front Office,Back Office</default>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
</input>


one of the searches in dashboard 1

`compliance_op`
| search office IN ($choose_office$)
| chart count by $scope$global
| sort $scope$global


My link to next dashboard is 

<drilldown>
<link target="_blank">/app/SAsh/operational_beautiful?form.choose_office=$choose_office$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link>
</drilldown>


Multiselect in dashboard 2

<input type="multiselect" token="office_filter" searchWhenChanged="true">
<label>Front/Back Office</label>
<choice value="Front Office">Front Office</choice>
<choice value="Back Office">Back Office</choice>
<choice value="Unknown">Unknown</choice>
<prefix>office IN (</prefix>
<suffix>)</suffix>
<initialValue>Front Office,Back Office,Unknown</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
<change>
<eval token="office_filter_drilldown">mvjoin('form.office_filter',"&amp;form.office_filter=")</eval>
</change>
</input>

 

search in dashboard 2

`compliance_ap`
| search office IN ($choose_office$)
| chart count by $scope$global
| sort $scope$global



I'm facing error in search of dashboard 2.

Thanks!

0 Karma
Reply

smanojkumar
Contributor
‎10-17-2023 04:16 AM

Hi @ITWhisperer !

   Thanks for your response!

   It is working fine, it always selected two values in dashboard 2 even if we are selecting one value in dashboard 1, 
   For Eg. If we are selecting "Front Office" in Dashboard 1, It shows both values "Front Office" and "Back Office" in Dashboard 2.

Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2023 01:25 AM

The tokens passed in the url need to be constructed from the multi-select input not hard coded

0 Karma
Reply

smanojkumar
Contributor
‎10-18-2023 06:22 AM

Hi @ITWhisperer 
   
   I tried few way, I didn't got it.

<condition match="isnull($office_filter$) == &quot;Front_Office*&quot;">
<set token="office_filter_drilldown">form.office_filter=Front%20Office</set>
</condition>
<condition match="isnull($office_filter$) == &quot;Back_Office*&quot;">
<eval token="office_filter_drilldown">form.office_filter=Back%20Office</eval>
</condition>
<condition match="isnull($office_filter$) == &quot;Front_Office*&quot; AND == &quot;Back_Office*&quot;">
<eval token="office_filter_drilldown">form.office_filter=Front%20Office&amp;form.office_filter=Back%20Office</eval>
</condition>


   can you please share that as well.

Thanks in Advance!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2023 07:46 AM

Try something like this

<input type="multiselect" token="choose_office" searchWhenChanged="true">
<label>Front/Back office</label>
<choice value="Front%20Office">Front Office</choice>
<choice value="Back%20Office">Back Office</choice>
<valuePrefix>form.choose_office=</valuePrefix>
<valueSuffix></valueSuffix>
<delimiter>&amp;</delimiter>
</input>
0 Karma
Reply

smanojkumar
Contributor
‎10-19-2023 04:36 AM

Hi @ITWhisperer ,

   It is fine but the prefix "form.office_filter=" is affecting the token that is used in search and the link is not expected.

Here is the link

&form.office_filter%3DBack%20Office%26form.office_filter%3DFront%20Office=&

If I'm using this instead, it works

&form.office_filter=Back%20Office&form.office_filter=Front%20Office=&

= is replaced by %3D in first link, & is replaced by %26

Can you  please help me in this!

Thanks!

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 04:57 AM

How are you using the token in the link?

0 Karma
Reply

smanojkumar
Contributor
‎10-19-2023 05:38 AM

Hi @ITWhisperer 

   I'm just passing the token in link

$office_filter$

<link target="_blank">/app/SAsh/details?form.compliance_filter=$click.value$&amp;form.timerange=$timerange$&amp;form.antivirus_filter=*&amp;$office_filter$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.scope=$scope$</link>

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-17-2023 02:03 AM

Multi-selects settings are passed in URLs by repeating the token with each value that has been selected

<link target="_blank">/app/SAsh/operational_beautiful?form.choose_office=Front%20Office&amp;form.choose_office=Back%20Office&amp;...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...