Splunk Search

Using tokens in XLM dashboard table "fields" tag- fields won't update dynamically

etoombs
Engager

I have an XML form that has a select box control that allows users to select the fields they want displayed in the output table. The selected options are stored in a token called "$fields$". The input is set to search on change.

In the dashboard, if I use |table $fields$ at the end of my search, the results table is updated every time a field is checked or unchecked, which is the action I'm looking for. However, the limitation of this is that I can't remove fields the users don't need to see if I want to keep them for drilldown.

As an alternative, I tried adding the fields tag, with $fields$ for the list and removing the table command. This effectively works at hiding the extra columns and keeping the data so that I can use it for drilldown, but it doesn't update dynamically as they are selecting/unselecting the field names.

I want the best of both worlds - I want the fields to update dynamically as clicked and to be able to retain data in the row for drilldown features. Is there a way to do this? It's multiple fields, but I'll always be able to control the field names. I'm open to using javascript on it if needed - I just haven't been able to figure out how.

A limited version of my xml is below (with some choices removed, just for brevity)

______________________The select box______________________

 <input type="checkbox" id="input_checkbox_horizontal1" searchWhenChanged="true" depends="$vsmacro$" token="fields">
      <label>Select Fields to Display</label>
      <choice value="&quot;VM Team Message&quot;">VM Team Message</choice>
      <choice value="&quot;Last Observed&quot;">Last Observed</choice>
      <choice value="&quot;Severity&quot;">Severity</choice>
      <choice value="&quot;IP Address&quot;">IP Address</choice>
       <choice value="&quot;See Also&quot;">See Also</choice>
      <choice value="&quot;CVSS Base Score&quot;">CVSS Base Score</choice>
    Notes&quot;,&quot;Note Expiration&quot;">SLM Notes Information</choice>
      <delimiter>,</delimiter>
      <default>"""Last Observed""","""Severity""","""IP Address"""</default>
      <initialValue>"Last Observed","Severity","IP Address",</initialValue>
    </input>

_____________________the tables option________________

   <query>[...a working search....] |table Directives $fields$   </query>

This will automatically update (I'd assume because of the searchWhenChanged control on the box.)

_____________the fields option ________________

        <search id="MySearch" base="BaseSearch">

          <query>|[...a working search...]
           </query>
        </search>
        <option name="count">10</option>
        [...removed a bunch of other "option" tags"...]
       <fields>$fields$</fields>

        <drilldown>
         [...removed all the drilldown conditions...]
        </drilldown>
      </table>

Any help you might be able to provide is appreciated!!!!

Tags (3)
0 Karma
1 Solution

niketnilay
Legend

@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$

Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.

<form>
  <label>Checkbox Based Table Field Filter with Drilldown</label>
  <!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
  <!-- For Example: 
                    "mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
                    "mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
  PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
  -->
  <search>
    <query>
| makeresults 
| fields - _time 
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection 
| streamstats count as rowNum 
| eventstats max(rowNum) as maxRowNum 
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
    " ".originalSelection." as _".originalSelection. ",") 
| stats list(hiddenSelection) as hiddenSelection 
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
    </query>
    <done>
      <set token="tokSelectedFields">$result.hiddenSelection$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
      <label>Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>mongod,splunkd,splunkd_ui_access</default>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="tokMongod">$row._mongod$</set>
          <set token="tokSplunkd">$row._splunkd$</set>
          <set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          <h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
          <div>mongod: $tokMongod$</div>
          <div>splunkd: $tokSplunkd$</div>
          <div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$

Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.

<form>
  <label>Checkbox Based Table Field Filter with Drilldown</label>
  <!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
  <!-- For Example: 
                    "mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
                    "mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
  PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
  -->
  <search>
    <query>
| makeresults 
| fields - _time 
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection 
| streamstats count as rowNum 
| eventstats max(rowNum) as maxRowNum 
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
    " ".originalSelection." as _".originalSelection. ",") 
| stats list(hiddenSelection) as hiddenSelection 
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
    </query>
    <done>
      <set token="tokSelectedFields">$result.hiddenSelection$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
      <label>Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>mongod,splunkd,splunkd_ui_access</default>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="tokMongod">$row._mongod$</set>
          <set token="tokSplunkd">$row._splunkd$</set>
          <set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          <h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
          <div>mongod: $tokMongod$</div>
          <div>splunkd: $tokSplunkd$</div>
          <div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

etoombs
Engager

@niketnilay
Well, that was easy. Thank you very much! Never occurred to me to rename with the underscore character. I appreciate your time!

niketnilay
Legend

Anytime. Field names prefixed with underscore was a trick I learnt from @woodcock 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!