Splunk Search

Splunk dashboard table panel with dynamic token

elend
Path Finder

hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible in splunk?

Like for this capture dashboard, is it possible when i click in signature value

dashboard.png

 

The rest visualization belows the table will dynamically changes based on the clicked column values, the action also can applied when i click on different column values from the first table. Is it possible in dashboard studio ?

Labels (4)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Your description is insufficient for others to help.  You need to make some mockup data scenarios and corresponding desired outcomes for us to understand what "multiple" token for each column means.

If you mean whether clicking on different cells in the same row can set different tokens, the answer is no.  You can set multiple tokens by one click.  But each row can only result in one set of values.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Your description is insufficient for others to help.  You need to make some mockup data scenarios and corresponding desired outcomes for us to understand what "multiple" token for each column means.

If you mean whether clicking on different cells in the same row can set different tokens, the answer is no.  You can set multiple tokens by one click.  But each row can only result in one set of values.

0 Karma

elend
Path Finder

sorry for the lack of clarity. I mean, for example in the display there is a table with 3 columns. from there I can display certain information below the table depending on which table column I click. Is it possible?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a token using "value" option.  Here is a simple example

{
    "visualizations": {
        "viz_L2lVmmIi": {
            "type": "splunk.table",
            "dataSources": {
                "primary": "ds_XAakW253"
            },
            "title": "Set local => $set_tok$",
            "eventHandlers": [
                {
                    "type": "drilldown.setToken",
                    "options": {
                        "tokens": [
                            {
                                "token": "set_tok",
                                "key": "value"
                            }
                        ]
                    }
                }
            ]
        }
    },
    "dataSources": {
        "ds_XAakW253": {
            "type": "ds.search",
            "options": {
                "query": "| makeresults format=csv data=\"_click\nA\nb\nC\nd\nfoo\nbar\nmore letters\"\n| eval click = \"You click \" . _click"
            },
            "name": "Simple table"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                    }
                }
            }
        }
    },
    "inputs": {},
    "layout": {
        "type": "grid",
        "options": {
            "width": 1440,
            "height": 960
        },
        "structure": [
            {
                "item": "viz_L2lVmmIi",
                "type": "block",
                "position": {
                    "x": 0,
                    "y": 0,
                    "w": 1440,
                    "h": 346
                }
            }
        ],
        "globalInputs": []
    },
    "description": "",
    "title": "Drilldown to cell value"
}

Here are two screenshots, one click on column 1, the other on column2:

row3column1.png

row3column2.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In your interactions, you can use predefined tokens to set your own token, which can then be used in another panel - name will give you the name of the field (column) which was clicked

ITWhisperer_0-1725865334839.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

As I said above, the answer is no.  Splunk's interactions (better known in dashboard classic as "drilldowns") are based on selected row only.  If a transposed table suits your need, you can transpose, then interact with row.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...