Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do this in Simple XML?

kmattern
Builder
‎12-10-2014 08:13 AM

I am using Advanced XML and plan on doing so as long as I can but I am curious to know whether I can do the following in Simple XML. This is a small sample of stuff I do every day in Advanced XML.

Hide one or more columns in a table

Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns

Replace column values with icons based on value

Tags (2)
Reply

somesoni2
Revered Legend
‎07-21-2015 08:28 AM

For requirement 2, use the example dashboard "Table Icon Set" from the "Splunk 6.x Dashboard Example" app.

App link: https://splunkbase.splunk.com/app/1603/

0 Karma
Reply

helenashton
Path Finder
‎05-01-2015 07:19 AM

"Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns"

I was just doing this yesterday and recalled your question.
You can use the drilldown option and then the link to specify the new dashboard URL. In this you can include the token value (mine was row.Account) and assign this to an input field (mine was called UserInput). I have left in the XML for setting the token for normal drilldown use two - I often have both options.

 <table>
    <search>
      <query>...</query>
    </search>
    <option name="drilldown">row</option>
    <drilldown field="*">
      <set token="Account">$row.Account$</set>
      <link target="_blank"><![CDATA[
        http://SplunkURL/en-US/app/myappName/my_dashboard?autoRun=True&form.UserInput=$row.Account$
      ]]></link>
    </drilldown>
  </table>
0 Karma
Reply

helenashton
Path Finder
‎04-07-2015 12:46 PM

If I remember correctly, in simple xml you can have then in your table, but in the fields option for the table you can specify the fields. The data is still present, but not shown to the user.

For example, here I show the time, systemFrom and systemTo to the user, but on drilldown I grab the eventId value from that row and use this later on.

    <table>
        <search>
          <query><![CDATA[
index=myIndex  host=myHost 
...
          ]]></query>
        </search>
        <fields>_time, systemFrom, systemTo </fields>
        <option name="drilldown">row</option>
        <drilldown>
          <condition field="*">
            <set token="myEventId">$row.eventId$</set>
          </condition>
        </drilldown>
      </table>
Reply

cblanton
Communicator
‎08-09-2019 09:53 AM

thank you @helenashton! this is great. I hesitated to try it at first thinking it wouldn't make sense after the | table line in my search, but it works exactly as expected!

in your search, you | table all the fields you need to keep and then copy only the field names you want to be visible into the |fields line.

0 Karma
Reply

mabinn
Explorer
‎09-20-2018 10:01 AM

Thanks a lot! this works on tables. But this does not seem to work if I am using a column table? When I add the tag, it gives me an error warning that I cannot use "fields" node inside the column table. Any workaround?

0 Karma
Reply

felipesewaybric
Contributor
‎07-21-2015 06:57 AM

Thank you, those _time, systemFrom, systemTo and was exactly what i need.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-02-2017 09:19 PM

Thanks helenashton, never knew that, opens up another Splunk door 🙂

0 Karma
Reply

meenal901
Communicator
‎02-12-2015 11:07 PM

You can use CSS to hide a column. I have done below (hides last column in the table of panel2):

div#panel2 .table tr>td:last-child {padding-right:20px; display:none !important;}
div#panel2 .table tr>th:last-child {padding-right:20px; display:none !important;}

Hope it helps.

0 Karma
Reply

fdi01
Motivator
‎12-11-2014 03:47 AM

for Hide one or more columns in a table

you can use the " .........|fields - fieldName1" to hide one colunn in a table
or " .........|fields - fieldName1, fieldName2, fieldName3, ... fieldNamen " to hide more colunns in a table

exple you this search: "" |eventcount eventcount summarize=false index=* 0r index=_* "" but if i want to hide server colunn i add "|fields - server" command to end such

|eventcount eventcount summarize=false index=* 0r index=_* | fields - server you see in you result the server colunn is hide.

after your_search... for version 6.0 and 6.1 or your_search... for version6.2 in your xml you can Pass multiple arguments, including hidden columns, to a new dashboard from table results as drilldowns
and Replace column values with icons based on value

0 Karma
Reply

kmattern
Builder
‎12-15-2014 06:18 AM

That doesn't hide them, it removes them. If I do a CSV export the "hidden" field does not get included. The results of this search do not meet my requirements.

index=portal sourcetype=portal WebPage!="*poller*" | table Date, user, WebPage, cs_uri_query | fields Date, user, WebPage
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...