Splunk Search

Drilldown with $click$ values not working

bowesmana
SplunkTrust
SplunkTrust

I have a dashboard where I display a list of wines. I want to be able to incrementally add the wine name to a search criteria so the user can select the wines they are interested in. The wine name field is "Description", so I have the query like

index=... $wines$ 

$wines$ is unset the first time around and this drilldown will work for the first click

<set token="wines">$click.name2$=$click.value2|s$</set>

which sets Description="wine", depending on the click, but of course this overwrites $wines$ each click. In order to build up the criteria I tried using eval/if

I tried

<eval token="wines">if(match($wines$, "Description"), "AlreadySet", "$click.name2$"="$click.value2|s$")</eval>

but this results in $wines$ being 'false'.

I know that if I just put "XX" in the else part of the if, it returns that. I have tried no quotes, double $ sign and so, but I can't make it work. I also tried elements with no luck.

Any ideas on how I can achieve what I want, i.e. to ultimately get

Description="Wine 1" OR Description="Wine 2" OR Description="Wine 3"...

like a standard multi select dropdown. I'm not using that multi select as it's too slow - there are 10,000 wines...

Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I solved my original problem with the following

<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set

and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

Would still be nice to understand why I couldn't get it to work with to eval statement.

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I solved my original problem with the following

<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set

and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

Would still be nice to understand why I couldn't get it to work with to eval statement.

0 Karma

woodcock
Esteemed Legend

I did something similar when I needed to search tens-of-thousands of software packages. I used 2 controls instead of one. The unusual control was a RegEx based pre-filter on the main multi-select control:

<label>Demo for whittling down a HUGE selection list to manageable chunk</label>
<description>This is not the exact answer that you were seeking, but may be a good alternative</description>
<fieldset autorun="false" submitButton="true">
  <input type="text" token="filter_token" searchWhenChanged="false">
    <label>RegEx filter for Wine Dropdown --&gt;</label>
    <default>.</default>
  </input>
  <input type="dropdown" token="wine_token" searchWhenChanged="false">
    <label>(&lt;-- filtered) Wine Selector:</label>
    <default>*</default>
    <choice value="*">All</choice>
    <fieldForLabel>wine</fieldForLabel>
    <fieldForValue>wine</fieldForValue>
    <search>
      <query>| inputcsv winelist.csv | regex wine="(?i)$filter_token$" | table wine</query>
      <earliest>-1s</earliest>
      <latest>now</latest>
    </search>
  </input>
</fieldset>

The really nice thing about this is that it very natural and only the geeks who grok RegEx need to know it is RegEx under the hood; the plebes will just type white and it will "just work". They will need to be taught to do red|white and that will be good for 90+% of all users/searches and for those who need more, you get to geek mentor them into RegEx.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I like this as a cool idea. I've got a couple of filters, but was wondering how to make them more powerful as they are currently just raw text strings, so supporting regex would be really neat.

I solved my original problem with the following

 <set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
 <set token="wines">$wines$ OR $query$</set>

and initially set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.

0 Karma

woodcock
Esteemed Legend

You should convert your comment to an answer and click Accept to close the question.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Duh! I didn't see the wheel to convert to answer... but thanks anyway for your regex stuff. Handy!

0 Karma

puneethgowda
Communicator

New version has drill down in UI that would help you

0 Karma

jkat54
SplunkTrust
SplunkTrust

Why is multi select too slow? That's the way to do it in Splunk in my humble opion. what search did you use to populate multiselect?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The problem is that it's an AWS t2 micro instance 😞 and can't cope with the 10k results, just locks up the browser.

index=... sourcetype=...
| stats count by Description
| sort Description

I've used them many times before and you're right, it's the normal way to go. As to "why..." - my performance analysis of Splunk is not great - other than the golden rule of never use "transaction or join" 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...