All Apps and Add-ons

Only pass one value for a drilldown when clicking on a table

mbazelon
Explorer

I have a table which is built based on a search above it. The table is populated with multiple rows and six columns. What I would like to accomplish through SideView Utils version 3.1.1, is to be able to click on a value (ie. a user ID) and have a new table populate with all of the information regarding the user (what machines have they logged into, what software is loaded on thier machine, etc.). I am attempting to use $row.cell0.value$ for each cell that I would like the end user to query. The problem I am running into is that using $row.cell0.value$, $row.cell1.value$, and $row.cell2.value$, is that in my next query down it is passing all three values instead of the one I am clicking on. Is there any way to only pass the value that has been clicked on and filter out the others?

Thanks for your help!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

If you switch to a SimpleResultsTable instead of a Table, you can set the drilldown param to all and receive $click.name2$ and $click.value2 tokens containing the field name and value of the cell you clicked on. Note, this will of course make all the $row.*$ tokens disappear.

As per http://answers.splunk.com/answers/124340/sideview-utils-drilldown-by-column/124865 you can submit a feature request to enable by-column drilldown in the Table module to get that moved further to the top of the pile.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Remember $foo$ tokens are always case sensitive. If you have a table whose columns are

host | bob | alice | mildred

and you want to allow the user to select both a row (thus picking a host) and also a column (thus picking a user), then you cant actually use Sideview's Table module. This mode is very seldom used and so seldom requested as a new feature that Sideview still hasn't implemented it on the Table module .

But on Splunk's SimpleResultsTable module, you would use

$click.value$ as the host, and $click.name2$ as the username. Note that if the user clicks the first column, the $click.name2$ will actually be the host, and this always complicates drilldown config because obviously it's not a valid user.

If on the other hand you dont need the user to pick a column, it's better to use Sideview's Table module. Then you can use keys like $row.fieldName$ for all the fields in the table (ie $row.host$) The Sideview Utils app contains lots of pages of walkthrough documentation and working examples for the Table module.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you switch to a SimpleResultsTable instead of a Table, you can set the drilldown param to all and receive $click.name2$ and $click.value2 tokens containing the field name and value of the cell you clicked on. Note, this will of course make all the $row.*$ tokens disappear.

As per http://answers.splunk.com/answers/124340/sideview-utils-drilldown-by-column/124865 you can submit a feature request to enable by-column drilldown in the Table module to get that moved further to the top of the pile.

0 Karma

mbazelon
Explorer

I was able to adjust my query to allow the values to pass from the SimpleResultsTable. I am using an SQL query and I made used a statement at the end:

where ($click.name2$='$click.value2$')

I was able to pass down the fieldname from SQL based on the column and the value in the cell itself.

Thanks to everyone for thier help!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you only want to drilldown based on userId, then set the drilldown to 'row' (from 'all'). Then when user click a row, your can access all the columns for a row using '$row.fields.FieldName$', including userId

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The numbers do not refer to column numbers. $click.value$ gives you the value of the clicked row, first column. $click.value$ gives you the value of the clicked row, clicked column. With $click.name$ and $click.name2$ it's the same story, the former gives you the first column name and the latter gives you the clicked column name.

0 Karma

mbazelon
Explorer

Thanks for the answer. I changed my table to a SimpleResultsTable but I am having a problem passing the values individually. When I click on my second column, the first column is passed down correctly (which is data I don't want for the query in this test), but the second column data does not drill down to the correct part of my seach.

I don't know if it is possible, but can you have $click.value1$, $click.value3$ for my other columns? The data from each column uses a different part of the next query.

EX:

$Click.Value$=Workstation
$Click.Value1$=Workstation_OU
$Click.Value2$=User_Acc

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...