Splunk Search

Using tokens in XLM dashboard table "fields" tag- fields won't update dynamically

etoombs
Path Finder

I have an XML form that has a select box control that allows users to select the fields they want displayed in the output table. The selected options are stored in a token called "$fields$". The input is set to search on change.

In the dashboard, if I use |table $fields$ at the end of my search, the results table is updated every time a field is checked or unchecked, which is the action I'm looking for. However, the limitation of this is that I can't remove fields the users don't need to see if I want to keep them for drilldown.

As an alternative, I tried adding the fields tag, with $fields$ for the list and removing the table command. This effectively works at hiding the extra columns and keeping the data so that I can use it for drilldown, but it doesn't update dynamically as they are selecting/unselecting the field names.

I want the best of both worlds - I want the fields to update dynamically as clicked and to be able to retain data in the row for drilldown features. Is there a way to do this? It's multiple fields, but I'll always be able to control the field names. I'm open to using javascript on it if needed - I just haven't been able to figure out how.

A limited version of my xml is below (with some choices removed, just for brevity)

______________________The select box______________________

 <input type="checkbox" id="input_checkbox_horizontal1" searchWhenChanged="true" depends="$vsmacro$" token="fields">
      <label>Select Fields to Display</label>
      <choice value="&quot;VM Team Message&quot;">VM Team Message</choice>
      <choice value="&quot;Last Observed&quot;">Last Observed</choice>
      <choice value="&quot;Severity&quot;">Severity</choice>
      <choice value="&quot;IP Address&quot;">IP Address</choice>
       <choice value="&quot;See Also&quot;">See Also</choice>
      <choice value="&quot;CVSS Base Score&quot;">CVSS Base Score</choice>
    Notes&quot;,&quot;Note Expiration&quot;">SLM Notes Information</choice>
      <delimiter>,</delimiter>
      <default>"""Last Observed""","""Severity""","""IP Address"""</default>
      <initialValue>"Last Observed","Severity","IP Address",</initialValue>
    </input>

_____________________the tables option________________

   <query>[...a working search....] |table Directives $fields$   </query>

This will automatically update (I'd assume because of the searchWhenChanged control on the box.)

_____________the fields option ________________

        <search id="MySearch" base="BaseSearch">

          <query>|[...a working search...]
           </query>
        </search>
        <option name="count">10</option>
        [...removed a bunch of other "option" tags"...]
       <fields>$fields$</fields>

        <drilldown>
         [...removed all the drilldown conditions...]
        </drilldown>
      </table>

Any help you might be able to provide is appreciated!!!!

Tags (3)
0 Karma
1 Solution

niketn
Legend

@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$

Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.

<form>
  <label>Checkbox Based Table Field Filter with Drilldown</label>
  <!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
  <!-- For Example: 
                    "mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
                    "mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
  PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
  -->
  <search>
    <query>
| makeresults 
| fields - _time 
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection 
| streamstats count as rowNum 
| eventstats max(rowNum) as maxRowNum 
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
    " ".originalSelection." as _".originalSelection. ",") 
| stats list(hiddenSelection) as hiddenSelection 
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
    </query>
    <done>
      <set token="tokSelectedFields">$result.hiddenSelection$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
      <label>Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>mongod,splunkd,splunkd_ui_access</default>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="tokMongod">$row._mongod$</set>
          <set token="tokSplunkd">$row._splunkd$</set>
          <set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          <h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
          <div>mongod: $tokMongod$</div>
          <div>splunkd: $tokSplunkd$</div>
          <div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@etoombs you can use an independent search to process the check box selection and prepare a dummy SPL to rename each selected field name prefixed with underscore _. This way fields prefixed with underscore will be hidden from Table fields however, at the same time they will be available for drill-down using $row._yourHiddenFieldName$

Please try out and confirm the following run anywhere example based on Splunk's _internal index, where default hidden fields are mongod, splunkd and splunkd_ui_access.

<form>
  <label>Checkbox Based Table Field Filter with Drilldown</label>
  <!-- Indepedent Search to process Check Box selection and create hidden table fields using underscore prefix fieldnames-->
  <!-- For Example: 
                    "mongod" selection in checkbox results in SPL "| rename mongod as _mongod"
                    "mongod splunkd" selection in checkbox results in "| rename mongod as _mongod, splunkd as _splunkd"
  PS: Splunk search result fields prefixed with underscore "_" are hidden from table. But can be used for drilldown using $row._fieldname$ for example $row._mongod$ or $row._splunkd$
  -->
  <search>
    <query>
| makeresults 
| fields - _time 
| eval originalSelection=split("$tokSourceTypes$"," ")
| mvexpand originalSelection 
| streamstats count as rowNum 
| eventstats max(rowNum) as maxRowNum 
| eval hiddenSelection=if(maxRowNum==rowNum," ".originalSelection." as _".originalSelection,
    " ".originalSelection." as _".originalSelection. ",") 
| stats list(hiddenSelection) as hiddenSelection 
| nomv hiddenSelection
| eval hiddenSelection="rename ".hiddenSelection
    </query>
    <done>
      <set token="tokSelectedFields">$result.hiddenSelection$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokSourceTypes" searchWhenChanged="true">
      <label>Sourcetypes</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>| tstats count where index=_internal by sourcetype
| fields sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>mongod,splunkd,splunkd_ui_access</default>
      <delimiter> </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index=_internal by sourcetype
| transpose 0 column_name="sourcetype" header_field="sourcetype"
| $tokSelectedFields$ </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="tokMongod">$row._mongod$</set>
          <set token="tokSplunkd">$row._splunkd$</set>
          <set token="tokSplunkdUIAccess">$row._splunkd_ui_access$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          <h2>Drilldown to see Hidden Column Values (default hidden fields are mongod, splunkd and splunkd_ui_access)</h2>
          <div>mongod: $tokMongod$</div>
          <div>splunkd: $tokSplunkd$</div>
          <div>splunkd_ui_access: $tokSplunkdUIAccess$</div>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

etoombs
Path Finder

@niketnilay
Well, that was easy. Thank you very much! Never occurred to me to rename with the underscore character. I appreciate your time!

niketn
Legend

Anytime. Field names prefixed with underscore was a trick I learnt from @woodcock 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...