- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Automatically Viewing Visualization in Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm linking a click value token in a dashboard to a search. Is there a way to format the drilldown search string so that the visualization is shown automatically, or would I have to link to a dashboard instead of a search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @TylerJVitale,
Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content
You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.
Here's an example on how this is done :
<dashboard>
<row>
<panel>
<table>
<title>Event counts by sourcetype</title>
<search>
<query>index=_internal | stats count by sourcetype</query>
</search>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>
</table>
</panel>
<panel depends="$show_panel$">
<event>
<title>Recent events for $selected_value$</title>
<search>
<query>index=_internal sourcetype=$selected_value$ </query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">5</option>
</event>
</panel>
</row>
</dashboard>
Let me know if this helps you.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @TylerJVitale,
Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content
You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.
Here's an example on how this is done :
<dashboard>
<row>
<panel>
<table>
<title>Event counts by sourcetype</title>
<search>
<query>index=_internal | stats count by sourcetype</query>
</search>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>
</table>
</panel>
<panel depends="$show_panel$">
<event>
<title>Recent events for $selected_value$</title>
<search>
<query>index=_internal sourcetype=$selected_value$ </query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">5</option>
</event>
</panel>
</row>
</dashboard>
Let me know if this helps you.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TylerJVitale you can link to a panel, when the token is set on clicking the panel with visualization will show up. the panel should be dependent on your token, <panel depends="$tokenname$">
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
