Dashboards & Visualizations

How to configure the multivalue field as input to drilldown search?

matstap
Communicator

I have a stats table in a dashboard and I'm trying to configure the drilldown to run a search that takes a multivalued field as input.

So If I click on a row that has field A="a","b","c", I want to run a search index=index_name (a OR b OR c)

Is there a way to do this?

0 Karma
1 Solution

niketn
Legend

@matstap is the fieldA actually multivalue? or is it single value with multiple comma separated values? Both are two different things. Can you share the query which generates fieldA? Is it something like values(fieldA) as fieldA, (as that would be a multivalue field)?

Try the following run anywhere example which converts a multivalue field to comma separated values using nomv command and upon clicking opens a new search with OR for each value

The <eval> block in the drilldown converts comma separated values to OR separated values i.e. <eval token="tokFieldADrilldown">" ( ".replace($click.value2$,","," OR ")." ) "</eval>

<dashboard>
  <label>Multivalue drilldown to search replace comma with OR</label>
  <row>
    <panel>
      <title>$tokFieldADrilldown$</title>
      <table>
        <search>
          <query>|  makeresults
|  eval fieldA="a,b,c;x,y,z;h,i,j,k"
|  makemv fieldA delim=";"
|  mvexpand fieldA
|  makemv fieldA delim=","
|  nomv fieldA</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="fieldA">
            <eval token="tokFieldADrilldown">" ( ".replace($click.value2$,","," OR ")." ) "</eval>
            <link target="_blank">search?q=|  makeresults
|  search $tokFieldADrilldown$&amp;earliest=-24h@h&amp;latest=now</link>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

PS: If your fieldA is actually multivalue field you would need to pipe | nomv fieldA command to convert it to comma separate single value field. If fieldA is already a comma-separated single value field, then you would just need the <drilldown> section of the code to be applied to the fieldA in your existing dashboard.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@matstap is the fieldA actually multivalue? or is it single value with multiple comma separated values? Both are two different things. Can you share the query which generates fieldA? Is it something like values(fieldA) as fieldA, (as that would be a multivalue field)?

Try the following run anywhere example which converts a multivalue field to comma separated values using nomv command and upon clicking opens a new search with OR for each value

The <eval> block in the drilldown converts comma separated values to OR separated values i.e. <eval token="tokFieldADrilldown">" ( ".replace($click.value2$,","," OR ")." ) "</eval>

<dashboard>
  <label>Multivalue drilldown to search replace comma with OR</label>
  <row>
    <panel>
      <title>$tokFieldADrilldown$</title>
      <table>
        <search>
          <query>|  makeresults
|  eval fieldA="a,b,c;x,y,z;h,i,j,k"
|  makemv fieldA delim=";"
|  mvexpand fieldA
|  makemv fieldA delim=","
|  nomv fieldA</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="fieldA">
            <eval token="tokFieldADrilldown">" ( ".replace($click.value2$,","," OR ")." ) "</eval>
            <link target="_blank">search?q=|  makeresults
|  search $tokFieldADrilldown$&amp;earliest=-24h@h&amp;latest=now</link>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

PS: If your fieldA is actually multivalue field you would need to pipe | nomv fieldA command to convert it to comma separate single value field. If fieldA is already a comma-separated single value field, then you would just need the <drilldown> section of the code to be applied to the fieldA in your existing dashboard.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello
SplunkTrust
SplunkTrust

Hi matstap,
try something like this

<form>
  <label>My Dashboard</label>
  <fieldset>
    <input type="time" token="Time">
      <label>Range Temporale</label>
      <default>
        <earliest>-h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="my_token">
      <label>My Token</label>
      <fieldForLabel>my_field</fieldForLabel>
      <fieldForValue>my_field</fieldForValue>
      <search>
        <query>
          index=my_index
          | dedup my_field 
          | sort my_field
          | fields my_field
        </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
      <choice value="*">ALL</choice>
      <initialValue>*</initialValue>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>my_field="</valuePrefix>
      <delimiter> OR </delimiter>
      <default>*</default>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
            index=my_index $my_field$
            | table _time field1 field2 field3 ...
          </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
        </search>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
<form>

beware to the spaces around "OR" in delimiter tag.

Bye.
Giuseppe

0 Karma

PowerPacked
Builder

Hi @matstap

add the below code in panel 1 from which you are passing the values a or b or c

        <drilldown>
          <set token="abc">$click.value$</set>
        </drilldown>

and this code further to the drilldown panel you want to acheive

<row depends="$abc$">
    <panel>
      <title>Metric: $abc$</title>
      <table>
        <search>
          <query>index=yourindex field=abc </query>
          <earliest></earliest>
          <latest></latest>
</table>
</panel>
</row>

Thanks

0 Karma

matstap
Communicator

I mean that the value of field A of the clicked row is "a,b,c". I essentially want to replace the commas with "OR " and in a new tab run the search with this edited version of A. I can't figure out how to do this replacement only when clicked.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...