Dashboards & Visualizations

How to get Splunk to link to different dashboards depending on the extracted field value from the table drilldown in Simple XML?

alex1895
Path Finder

I want Splunk to link to different dashboards depending on the extracted field value it got from the table drilldown.

Is it possible to solve via Simple XML?

Alex

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Hi alex1895,
the snippet below is taken from the Splunk 6.x Dashboard Examples App, spcifically the "Drilldown Elements->Dynamic Drilldown" section.
alt text

Adjust the link URL to the view you want to navigate to and use $token$ values from your source view as needed.

View solution in original post

0 Karma

bandit
Motivator

Drilldown example of a row click dynamically generating a URL based on field values in the row. Either absolute or relative links should work using Link to custom URL in the Drilldown Editor. I'm running Splunk 7.1

     <drilldown>
       <link target="_blank">/app/$row.app$/$row.title$</link>
     </drilldown>

Sample Dash:

  <form>
  <label>Dashboard Explorer v2</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="app" searchWhenChanged="true">
      <label>App</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>app</fieldForLabel>
      <fieldForValue>app</fieldForValue>
      <search>
        <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search NOT (app="*TA-*" OR app="*SA-*" OR app="*_TA_*") 
| table app 
| dedup app 
| sort app</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="title" searchWhenChanged="true">
      <label>Title</label>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search NOT (app="*TA-*" OR app="*SA-*" OR app="*_TA_*") 
| table title 
| dedup title
| sort title</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="author" searchWhenChanged="true">
      <label>Author</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
      <search>
        <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search NOT (app="*TA-*" OR app="*SA-*" OR app="*_TA_*") 
| table author 
| dedup author 
| sort author</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="key_word" searchWhenChanged="true">
      <label>Key Word</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dashboards</title>
      <single>
        <search>
          <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search app="$app$" title="$title$" author="$author$" (app="*$key_word$*" OR title="*$key_word$*" OR author="*$key_word$*") NOT (app="*TA-*" OR app="*SA-*" OR app="*_SA_*" OR app="*_TA_*" OR app="Splunk_ML_Toolkit" OR app="splunk_monitoring_console" OR app="
    unix-indexer-props") 
| table app title author type 
| stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x006d9c","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Top App</title>
      <table>
        <search>
          <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search app="$app$" title="$title$" author="$author$" (app="*$key_word$*" OR title="*$key_word$*" OR author="*$key_word$*") NOT (app="*TA-*" OR app="*SA-*" OR app="*_SA_*" OR app="*_TA_*" OR app="Splunk_ML_Toolkit" OR app="splunk_monitoring_console" OR app="
    unix-indexer-props") 
| table app title author type 
| top app 
| eval percent=round(percent,1)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="app">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="title">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="author">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Top Author</title>
      <table>
        <search>
          <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search app="$app$" title="$title$" author="$author$" (app="*$key_word$*" OR title="*$key_word$*" OR author="*$key_word$*") NOT (app="*TA-*" OR app="*SA-*" OR app="*_SA_*" OR app="*_TA_*" OR app="Splunk_ML_Toolkit" OR app="splunk_monitoring_console" OR app="
    unix-indexer-props") 
| table app title author type 
| top author 
| eval percent=round(percent,1)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="app">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="title">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="author">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Dashboard List</title>
      <table>
        <title>click row to launch dashboard</title>
        <search>
          <query>| rest /servicesNS/-/-/data/ui/views 
| table author title eai:acl.app 
| eval type="Dashboard" 
| rename eai:acl.app as app 
| search app="$app$" title="$title$" author="$author$" (app="*$key_word$*" OR title="*$key_word$*" OR author="*$key_word$*") NOT (app="*TA-*" OR app="*SA-*" OR app="*_SA_*" OR app="*_TA_*" OR app="Splunk_ML_Toolkit" OR app="splunk_monitoring_console" OR app="
    unix-indexer-props") 
| table app title author type 
| sort app title</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
        <format type="color" field="app">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="title">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="author">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <link target="_blank">/app/$row.app$/$row.title$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Hi alex1895,
the snippet below is taken from the Splunk 6.x Dashboard Examples App, spcifically the "Drilldown Elements->Dynamic Drilldown" section.
alt text

Adjust the link URL to the view you want to navigate to and use $token$ values from your source view as needed.

0 Karma

alex1895
Path Finder

Thanks for the reply. I am not really sure if that is the answer to my question. I know how to use Dynamic Drilldown, I just want to include a value check before exercising the drilldown. Depending on that value the dynamic drilldown would go to different places.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I think you are sure that it is not, and I am sorry for misunderstanding your question. 🙂
This probably better describes your use case, if I get it now and I think the answer given there is accurate. You will likely have to convert to a HTML dashboard and implement your conditional logic in JavaScript.

Or maybe your use case allows you to follow the approach described here, but that depends on whether you can map your conditions to a dashboard view naming convention.

Is that more in line with what you need?

alex1895
Path Finder

Great thanks the second one work out.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...