Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Table visualisation of events with extra metadata fields

atat23
Path Finder
‎06-30-2014 05:04 AM

I'm currently trying to get a dashboard to show a simple overview table of 4 or 5 keys fields. Then instead of using a drill down to view the event in a search I simply want the user to be able to click the table to view a larger list of all the related fields.

From Splunk 6 dashboard examples it looks like I can do this using the event visualisation which lets you define what fields should be listed in the metadata view.
The issue I have with this seems to be that you can only pass fields that are already displayed in your table in the metadata, not sure how I get extra fields in here that aren't already in the table.

So the example given is:

        <event>
        <title>Logins in the last week</title>
        <searchString>index=_internal action=login user=*</searchString>
        <earliestTime>-7d@d</earliestTime>
        <earliestTime>now</earliestTime>
        <fields>user, action</fields>
        <option name="type">table</option>
    </event>

Any fields I specify appear in both the table and the metadata, is there anyway to make all fields appear in the metadata and also specify exactly which ones appear in the table?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2014 05:42 AM

Here's an example using a checkbox to turn extra fields on or off:

<form>
  <fieldset submitButton="false">
    <input type="checkbox" token="extra_fields" searchWhenChanged="true">
      <default/>
      <choice value="c d">Show Extra Fields</choice>
    </input>
  </fieldset>
  <row>
    <table>
      <searchString>| stats count | eval a = 1 | eval b = 2 | eval c = 3 | eval d = 4 | table a b $extra_fields$</searchString>
    </table>
  </row>
</form>

You could in principle drop this into the <table> tag:

<drilldown>
  <set token="form.extra_fields">c d</set>
</drilldown>

To let the user click the table to turn on extra fields, but you still need the checkbox to have an empty default value - else the table will wait for input indefinitely. To get around this you could open the view with an empty field parameter at the end, but then the links from within Splunk won't work anymore.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2014 05:42 AM

Here's an example using a checkbox to turn extra fields on or off:

<form>
  <fieldset submitButton="false">
    <input type="checkbox" token="extra_fields" searchWhenChanged="true">
      <default/>
      <choice value="c d">Show Extra Fields</choice>
    </input>
  </fieldset>
  <row>
    <table>
      <searchString>| stats count | eval a = 1 | eval b = 2 | eval c = 3 | eval d = 4 | table a b $extra_fields$</searchString>
    </table>
  </row>
</form>

You could in principle drop this into the <table> tag:

<drilldown>
  <set token="form.extra_fields">c d</set>
</drilldown>

To let the user click the table to turn on extra fields, but you still need the checkbox to have an empty default value - else the table will wait for input indefinitely. To get around this you could open the view with an empty field parameter at the end, but then the links from within Splunk won't work anymore.

Reply
Solved! Jump to solution

atat23
Path Finder
‎06-30-2014 09:17 AM

Still wouldn't work till I upgraded till the latest version of Splunk.

Can confirm that "checkbox" works now as well, so it does need 6.1

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2014 07:19 AM

Checkbox may have been added in 6.1, there's no particular reason to use it over anything else though.

Consider adding a second option to your radio input, "no extra fields" with an empty value - then you can have that selected by default to let the search kick off straight away.

0 Karma
Reply
Solved! Jump to solution

atat23
Path Finder
‎06-30-2014 07:14 AM

Had to use input type="radio" as the template for uri checkbox input couldn't be found, but I guess it will work with a few different type of input elements depending on how it's tweaked.
Then with just a and b I get that the search isn't fully resolved but it works when the radio box is checked for all four columns.....

Will continue to play with it but I think this is a pretty neat way of doing it compared to what I was trying to do. Thanks Martin!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...