Solved: Drilldown: How to pass values to the destination f...

ashishlal82 · ‎07-28-2016

Below is the source query to pass sourcetype.tok value to the destination dashboard.

list_of_filenames_by_hostname?form.sourcetype_tok=$click.name2$

Above is a value from a table upon clicking on the left most column. The value of the cell is captured in sourcetype_tok, but not sure how to pass this to the destination field.

somesoni2 · ‎07-28-2016

Try this as the drilldown element in your first dashboard.

 <drilldown>
       <link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
     </drilldown>

You use form.tokenname when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.

View solution in original post

somesoni2 · ‎07-28-2016

Try this as the drilldown element in your first dashboard.

 <drilldown>
       <link>list_of_filenames_by_hostname?computer_name=$row.Computer_Names$</link>
     </drilldown>

You use form.tokenname when you've a form input (dropdown/text etc) with same tokenname in the drilldown dashboard. If you just want to use the token, pass with just the token name.

ashishlal82 · ‎07-28-2016

Got it!! thanks. I just overlooked

ashishlal82 · ‎07-29-2016

Question:
1) In the source query, I have used JOIN which is quite expensive? are there ways in Splunk where I can use a common field to join two source without using a JOIN statement without being expensive?

somesoni2 · ‎07-29-2016

Give this a try

index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|append [|inputlookup asset_lookup] 
| stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search
|stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized

ashishlal82 · ‎07-29-2016

I tried it and it did not pull up the results.

stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath values(hashes) as hashes by bigfix_computer_id search

Why do you have search at end ?

somesoni2 · ‎07-29-2016

The search keyword was there in your dashboard xml. If that was a type and only common field is bigfix_computer_id between your data and lookup, you can just do a simple lookup.

Try this now

index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256) | lookup asset_lookup bigfix_computer_id OUTPUT ....put list of fields that you need from lookup for better performance...  
 |stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized

somesoni2 · ‎07-28-2016

Can you provide your full dashboard xml? What is the token name that you want to use in the destination dashboard/form which will hold the value?

ashishlal82 · ‎07-28-2016

Source Dashboard

List of Authorized/Unauthorized Softwares
This dashboard describes list of Authorized/Unauthorized Softwares by Computer Names

<panel>
  <table>
    <search>
      <query>index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR  (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |eval hashes = mvappend(md5,sha256)|join  bigfix_computer_id search [|inputlookup asset_lookup] |stats values(computer_name) as Computer_Names,values(Hashes_allow_or_deny) as  Authorized/Unauthorized,values(fileName) as FileName,values(version) as Version, values(filePath) as FilePath by hashes | chart count  over Computer_Names by Authorized/Unauthorized</query>
    </search>
    <drilldown>
      <link>list_of_filenames_by_hostname?form.computer_name=$row.Computer_Names$</link>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="count">10</option>
  </table>
</panel>

Destination Dashboard

List of FileNames by HostName

<panel>
  <table>
    <search>
      <query>| inputlookup asset_lookup|search computer_name="$computer_name$" </query>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </search>
  </table>
</panel>

Getting "Search is waiting for Input" not sure why?

Drilldown: How to pass values to the destination form or dashboard?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!