DEV Community

loading...

Splunk Dashboard - Changes & Drilldown

adaendra profile image Maxime Guilbert ・3 min read

On Splunk, you can create a lot of Dashboards based on your requests. For more dynamism, you can add some inputs.

But sometimes, there some panels you want to hide in a particular situation. And here comes the changes and drilldowns.


Token definition and changes and drilldowns.

Based on the tokens that can be used for your input, you can change their values with events.

Token Definition

You don't need to declare a token. By default, it will be unset.

If you declare a token for an input and you declare a default value for that input, the token will also have this default value.

Otherwise, you can use the init section to declare a value for your tokens.

<init>
    <set token="code">test</set>
    <set token="action">*</set>
</init>
Enter fullscreen mode Exit fullscreen mode

Input Event (Changes)

Dropdown

<input type="dropdown" token="typeCode_tok" searchWhenChanged="true">
      <label>Success/Error:</label>
      <choice value="*">ALL</choice>
      <choice value="error=null">Success</choice>
      <choice value="error.code=*">Error</choice>
      <default>$typeCode_tok$</default>
      <change>
        <condition label="ALL">
          <set token="isAll">true</set>
          <unset token="isSuccess"></unset>
          <unset token="isError"></unset>

        </condition>
        <condition label="Success">
          <unset token="isAll"></unset>
          <set token="isSuccess">true</set>
          <unset token="isError"></unset>

        </condition>
        <condition label="Error">
          <unset token="isAll"></unset>
          <unset token="isSuccess"></unset>
          <set token="isError">true</set>
        </condition>
      </change>
    </input>
Enter fullscreen mode Exit fullscreen mode

Input text

<input type="text" token="codeError_tok" searchWhenChanged="true">
      <label>Error code:</label>
      <default>$codeError_tok$</default>
      <change>
         <condition value="SUCCESS">
          <set token="isOnlySuccess">true</set>
          <unset token="isOnlyError"></unset>
         </condition>
         <condition>
          <set token="isOnlyError">true</set>
          <unset token="isOnlySuccess"></unset>
         </condition>
     </change>
    </input>
Enter fullscreen mode Exit fullscreen mode

Input text with a condition on "*"

<input type="text" token="codeError_tok" searchWhenChanged="true">
      <label>Error code:</label>
      <default>$codeError_tok$</default>
      <change>
         <condition match="value=&quot;*&quot;">
          <set token="isAll">true</set>
         </condition>
         <condition>
          <unset token="isAll"></unset>
         </condition>
     </change>
    </input>
Enter fullscreen mode Exit fullscreen mode

Click event on an existing panel (Drilldown)

With a click event on an existing panel, you can directly update the value of a token to show/hide a panel, or update the value of an input.

If you don't override these events on tables and pie charts (Maybe there are other panels that have the same behaviour) and you click on them, Splunk will redirect you to a new search page with the selected parameters of the dashboard and the element you clicked on.

Without condition

<chart>
       ...
        <drilldown>
          <condition>
            <set token="action">$click.value$</set>
            <set token="form.action">$click.value$</set>
          </condition>
        </drilldown>
      </chart>
Enter fullscreen mode Exit fullscreen mode

With condition

<chart>
       ...
        <drilldown>
          <condition match="$click.value$=test">
            <set token="action">$click.value$</set>
            <set token="form.action">$click.value$</set>
          </condition>
          <condition match="$click.value$=test2">
            <set token="arg">$click.value$</set>
            <set token="form.arg">$click.value$</set>
          </condition>
        </drilldown>
      </chart>
Enter fullscreen mode Exit fullscreen mode

With condition if you click in a specific column on a table

<chart>
       ...
        <drilldown>
          <condition field="errCd">
            <set token="form.errCd">$click.value2$</set>
            <set token="errCd">$click.value2$</set>
          </condition>

          <condition field="errTxt"></condition> // To disable a click event.
        </drilldown>
      </chart>
Enter fullscreen mode Exit fullscreen mode

Show/Hide a panel

To show or hide a panel, it will depend on a token and if it's defined or not.

To use it, you must surround it by $.

<panel depends="$isAll$">
Enter fullscreen mode Exit fullscreen mode

If you want to show a panel depending on multiple tokens, you can list them in the depends parameter, separated by a comma.

<panel depends="$token1$, $token2$">
Enter fullscreen mode Exit fullscreen mode

I hope it will help you! 😀

Discussion (0)

pic
Editor guide