I have an XML form that has a select box control that allows users to select the fields they want displayed in the output table. The selected options are stored in a token called "$fields$". The input is set to search on change.
In the dashboard, if I use |table $fields$ at the end of my search, the results table is updated every time a field is checked or unchecked, which is the action I'm looking for. However, the limitation of this is that I can't remove fields the users don't need to see if I want to keep them for drilldown.
As an alternative, I tried adding the fields tag, with $fields$ for the list and removing the table command. This effectively works at hiding the extra columns and keeping the data so that I can use it for drilldown, but it doesn't update dynamically as they are selecting/unselecting the field names.
I want the best of both worlds - I want the fields to update dynamically as clicked and to be able to retain data in the row for drilldown features. Is there a way to do this? It's multiple fields, but I'll always be able to control the field names. I'm open to using javascript on it if needed - I just haven't been able to figure out how.
A limited version of my xml is below (with some choices removed, just for brevity)
______________________The select box______________________
<input type="checkbox" id="input_checkbox_horizontal1" searchWhenChanged="true" depends="$vsmacro$" token="fields">
<label>Select Fields to Display</label>
<choice value=""VM Team Message"">VM Team Message</choice>
<choice value=""Last Observed"">Last Observed</choice>
<choice value=""Severity"">Severity</choice>
<choice value=""IP Address"">IP Address</choice>
<choice value=""See Also"">See Also</choice>
<choice value=""CVSS Base Score"">CVSS Base Score</choice>
Notes","Note Expiration"">SLM Notes Information</choice>
<delimiter>,</delimiter>
<default>"""Last Observed""","""Severity""","""IP Address"""</default>
<initialValue>"Last Observed","Severity","IP Address",</initialValue>
</input>
_____________________the tables option________________
<query>[...a working search....] |table Directives $fields$ </query>
This will automatically update (I'd assume because of the searchWhenChanged control on the box.)
_____________the fields option ________________
@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _
. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$
Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.
<form>
<label>Checkbox Based Table Field Filter with Drilldown</label>
<!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
<!-- For Example:
"mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
"mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
-->
<search>
<query>
| makeresults
| fields - _time
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection
| streamstats count as rowNum
| eventstats max(rowNum) as maxRowNum
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
" ".originalSelection." as _".originalSelection. ",")
| stats list(hiddenSelection) as hiddenSelection
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
</query>
<done>
<set token="tokSelectedFields">$result.hiddenSelection$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
<label>Sourcetypes</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>mongod,splunkd,splunkd_ui_access</default>
<delimiter> </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tokMongod">$row._mongod$</set>
<set token="tokSplunkd">$row._splunkd$</set>
<set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div>
<h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
<div>mongod: $tokMongod$</div>
<div>splunkd: $tokSplunkd$</div>
<div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
</div>
</html>
</panel>
</row>
</form>
@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _
. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$
Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.
<form>
<label>Checkbox Based Table Field Filter with Drilldown</label>
<!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
<!-- For Example:
"mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
"mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
-->
<search>
<query>
| makeresults
| fields - _time
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection
| streamstats count as rowNum
| eventstats max(rowNum) as maxRowNum
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
" ".originalSelection." as _".originalSelection. ",")
| stats list(hiddenSelection) as hiddenSelection
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
</query>
<done>
<set token="tokSelectedFields">$result.hiddenSelection$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
<label>Sourcetypes</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>mongod,splunkd,splunkd_ui_access</default>
<delimiter> </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tokMongod">$row._mongod$</set>
<set token="tokSplunkd">$row._splunkd$</set>
<set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div>
<h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
<div>mongod: $tokMongod$</div>
<div>splunkd: $tokSplunkd$</div>
<div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
</div>
</html>
</panel>
</row>
</form>
@niketnilay
Well, that was easy. Thank you very much! Never occurred to me to rename with the underscore character. I appreciate your time!
Anytime. Field names prefixed with underscore was a trick I learnt from @woodcock 🙂