All Apps and Add-ons

How to perform autorun search when parameters are passed from other view in SideView

disha
Contributor

I am trying from two days but i dont know where I am mistaking.
I am in the situation like I want to pass clicked value to another form. I have a value (EventID) that result from one search, and I want to load a separate view with a distinct search that takes the clicked-on EventID as argument using sideviewUtils. Also I am stuck with how to autorun the form with new clicked values and I want to show the clicked on EventID selected in dropdown list (Instead of All that is default)in new window. Please help.

From the first form I am passing value as :

DisplayResult
$click.value$

Please help me of how to collect and process this value in second form. The second form is a separate form which works independently with EventID defalt value "All".
Thanks.

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

In short, you just need to convert the target view to use Sideview Utils, in order to get the URL-based prepopulation that the Sideview Utils modules give you.

What your target view is doing here, is you've put a Sideview URLLoader up at the top, but the modules beneath are all core Splunk modules . HiddenSearch can not substitute values given to it by URLLoader, nor can ExtendedFieldSearch and SearchSelectLister prepopulate themselves based on the values passed down by URLLoader.

See the examples and the documentation in Sideview Utils that show how the Redirector, URLLoader, Search, Pulldown and TextField modules work together to do all this.

Replace HiddenSearch with Search, ExtendedFieldSearch with TextField, SearchSelectLister with Pulldown. The good news is that the Sideview modules are easier to work with.

Take it a step at a time and study the documentation page for each Sideview module first.

View solution in original post

disha
Contributor

I have tried using search and pulldown but using pull down all dropdown menu is coming in one line. I am not able to findout whats wrong. Can you tell me where I can find the documentation of how pulldown and textfield works with example as app/sideview_utils/linking1_pulldowns is not giving enough idea of how they are working.:(


<![CDATA[
sourcetype="jsonrevtwo"
| spath path="EventID" output=EventID

   | spath path="Location" output=City 
   | spath path="Critical" output=Critical 
   | stats values(EventID) AS EventID values(City) as City values(Critical) as Critical
    ]]></param>

  <module name="Pulldown">
    <param name="name">EventID</param>
    <param name="label">$name$</param>
    <param name="template">| search $name$="$value$" </param>
    <param name="valueField">$name$</param>
    <param name="float">left</param>

    <module name="Pulldown">
      <param name="name">City</param>
      <param name="label">$name$</param>
      <param name="template">| search $name$="$value$" </param>
      <param name="float">left</param>
      <param name="valueField">$name$</param>

      <module name="Pulldown">
        <param name="name">Critical</param>
        <param name="label">$name$</param>
        <param name="template">| search $name$="$value$" </param>
        <param name="float">left</param>
        <param name="valueField">$name$</param>
0 Karma

disha
Contributor

Thankyou for all your valuable suggestion. I will keep those in mind in future and Thanks this thing works.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note: you can update your original question rather than adding supplemental detail as different answers. On your other answer, I gave the solution to your "all in one ilne" problem. You can't use this kind of search --| stats values(EventID) AS EventID values(City) as City values(Critical) as Critical. Instead use this searc -- stats count by EventID City Critical, and then give each Pulldown a postProcess param like so:

<param name="postProcess">dedup $name$ | sort $name$</param>

0 Karma

sideview
SplunkTrust
SplunkTrust

In short, you just need to convert the target view to use Sideview Utils, in order to get the URL-based prepopulation that the Sideview Utils modules give you.

What your target view is doing here, is you've put a Sideview URLLoader up at the top, but the modules beneath are all core Splunk modules . HiddenSearch can not substitute values given to it by URLLoader, nor can ExtendedFieldSearch and SearchSelectLister prepopulate themselves based on the values passed down by URLLoader.

See the examples and the documentation in Sideview Utils that show how the Redirector, URLLoader, Search, Pulldown and TextField modules work together to do all this.

Replace HiddenSearch with Search, ExtendedFieldSearch with TextField, SearchSelectLister with Pulldown. The good news is that the Sideview modules are easier to work with.

Take it a step at a time and study the documentation page for each Sideview module first.

disha
Contributor

I have posted the code as answer because comment section has character limit. I know may be my question is very silly but I am very new to Splunk.Still learning..:(

0 Karma

disha
Contributor

Thanks a lot..You saved me. Here is the XML of first view from which we are passing EventID value.





*
2
False


sourcetype="jsonrevtwo"
| spath path="EventID" output=eventID
| spath path="Location" output=city
| chart count(eval(eventID)) AS "Issues" by eventID



pie
none

  <module name="JobProgressIndicator"/>

  <!-- here's the FlashChart to click on -->
  <module name="FlashChart">
    <param name="width">100%</param>
    <param name="height">600px</param>

    <module name="Redirector">
  <param name="url">DisplayResult</param>
      <param name="arg.eventID">$click.value$</param>
     </module>  
   </module>
</module>


Here is the second view's XML which is performing search. I want to collect eventid in this form which is coming from first one and perform the search.





*
False
1


splunk.search.job
True
1


dashboard


sourcetype=$sourcetype$
| spath path="EventID" output=EventID
| spath path="Location" output=City
| spath path="Critical" output=Critical
| spath path="StbID" output=StbID
| search EventID="$EventID$"
| search City="$City$"
| search Critical="$Critical$"
| search StbID="$STBID$"
| chart count(eval(Critical="FALSE")) AS "Normal Temp." , count(eval(Critical="TRUE")) AS "Critical Temp." by City


sourcetype
sourcetype







sourcetype


stringreplace



True




Customer ID (STB ID)
Customer ID (STB ID)








Customer ID (STB ID)


stringreplace



True






All


sourcetype="jsonrevtwo"
| spath path="EventID" output=EventID
| stats values(EventID) AS EventID

EventID
EventID_setting


EventID
EventID


False

EventID_setting

stringreplace


True
$target$







All


sourcetype="jsonrevtwo"
| spath path="Location" output=City
| stats values(City) AS City

City
City_setting


City
City


False

City_setting

stringreplace


True
$target$






*
All


sourcetype="jsonrevtwo"
| spath path="Critical" output=Critical
| stats values(Critical) AS Critical

Critical
Critical_setting


Critical
Critical


False

Critical_setting

stringreplace


True
$target$



False
Last 30 days

True
Search

                  <module name="Search" >
                  <param name="search"><![CDATA[
* $sourcetype$
| spath path="EventID" output=EventID 
| spath path="Location" output=City 
| spath path="Critical" output=Critical 
$EventID$ 
$City$ 
$Critical$
| chart count(eval(Critical="FALSE")) AS "Normal Temp." , count(eval(Critical="TRUE")) AS "Critical Temp." by City
                  ]]></param>

                  <module name="EnablePreview">
                    <param name="enable">True</param>
                    <param name="display">False</param>
                  </module>

                  <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1">
                    <param name="charting.chart">bar</param>
                    <param name="charting.secondaryAxisTitle.text">STBs</param>
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.primaryAxisTitle.text">City</param>

                    <module name="JSChart">
                      <param name="width">100%</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                   </module>
              </module>
            </module>
        </module>
  </module>
</module>







In this I am not using pulldowns. I have tried it but not able to achieve it.
here is my trial code:






*
False
1


splunk.search.job
True
1


dashboard


sourcetype=$sourcetype$
| spath path="EventID" output=EventID
| spath path="Location" output=City
| spath path="Critical" output=Critical
| spath path="StbID" output=StbID
| search EventID="$EventID$"
| search City="$City$"
| search Critical="$Critical$"
| search StbID="$STBID$"
| chart count(eval(Critical="FALSE")) AS "Normal Temp." , count(eval(Critical="TRUE")) AS "Critical Temp." by City


sourcetype
sourcetype







sourcetype


stringreplace



True




Customer ID (STB ID)
Customer ID (STB ID)








Customer ID (STB ID)


stringreplace



True



<![CDATA[
sourcetype="jsonrevtwo"
| spath path="EventID" output=EventID

| spath path="Location" output=City
| spath path="Critical" output=Critical
| stats values(EventID) AS EventID values(City) as City values(Critical) as Critical
]]>

      <module name="Pulldown">
        <param name="name">EventID</param>
        <param name="label">$name$</param>
        <param name="template">| search $name$="$value$" </param>
        <param name="valueField">$name$</param>
        <param name="float">left</param>

        <module name="Pulldown">
          <param name="name">City</param>
          <param name="label">$name$</param>
          <param name="template">| search $name$="$value$" </param>
          <param name="float">left</param>
          <param name="valueField">$name$</param>

          <module name="Pulldown">
            <param name="name">Critical</param>
            <param name="label">$name$</param>
            <param name="template">| search $name$="$value$" </param>
            <param name="float">left</param>
            <param name="valueField">$name$</param>


<module name="TimeRangePicker">
                  <param name="searchWhenChanged">False</param>
                  <param name="selected">Last 30 days</param>
                  <module name="Button">
                <param name="allowSoftSubmit">True</param>
                <param name="label">Search</param>


                  <module name="Search" >
                  <param name="search"><![CDATA[
* $sourcetype$
| spath path="EventID" output=EventID 
| spath path="Location" output=City 
| spath path="Critical" output=Critical 
$EventID$ 
$City$ 
$Critical$
| chart count(eval(Critical="FALSE")) AS "Normal Temp." , count(eval(Critical="TRUE")) AS "Critical Temp." by City
                  ]]></param>

                  <module name="EnablePreview">
                    <param name="enable">True</param>
                    <param name="display">False</param>
                  </module>

                  <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1">
                    <param name="charting.chart">bar</param>
                    <param name="charting.secondaryAxisTitle.text">STBs</param>
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.primaryAxisTitle.text">City</param>

                    <module name="JSChart">
                      <param name="width">100%</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                  </module>









In this code dropdown list is giving all values in one line. Please help me about how I can collect eventid in this view and how to populate drop down list correctly and with clickedon value selected. Thanks in advance.

0 Karma

sideview
SplunkTrust
SplunkTrust

OK. the problem where your Pulldown values are coming all in one line, is because the search you're using to feed them is very wrong. You're using a search that has only one row, with a multivalued-field for EventID. Instead you want to do something like "stats count by EventID", where each row is a distinct value of EventID. Pulldown renders each option from a different row in the search results, so if you give it one row with a giant multivalued field, you'll get one row with a giant space-separated value. 😃

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you post the xml of both views or email me both views? Have you looked at the docs in Sideview Utils about linking from view to view and how to use the Redirector and URLLoader modules together?

As for the autoRun part, just put <param name="arg.autoRun">True</param> into your Redirector module. OR if the target view should always run onload, you can put autoRun="True" into the target view itself.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...