Splunk Search

How do I do a simple drill down from a table?

BobKimata
Path Finder

Splunk newbie here, I have been testing it for a few days already. I can now create searches and dashboards based on saved searches. However, I am having trouble in making 'drill down' to work. I would like a drill down to happen whenever I click in a particular value in a cell. When a user clicks on a cell item say 'Account1' I would like another search performed and the results displayed on the same page.

Any examples will be highly appreciated

Regards
Hillary

0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Have you looked at the documentation topic about drilldowns in the Dashboards and Visualizations manual? It has examples of basic table drilldown as well as dynamic drilldown.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

Have you looked at the documentation topic about drilldowns in the Dashboards and Visualizations manual? It has examples of basic table drilldown as well as dynamic drilldown.

BobKimata
Path Finder

I have gone through the documentation but I cant seem to apply it to my examples. My search is based on an sql query. ie.

<dashboard>
  <label>Account Performance</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| dbquery AdWordsROI limit=1000 "select * from account_performance" |eval Cost="$".round(Cost/1000000,2) |eval CostPerConversion="$".round(CostPerConversion/1000000,2) |eval AverageCPC="$".round(AverageCPC/1000000,2) |eval AveragePosition=round(AveragePosition,2) |convert  timeformat="%d-%m-%y" ctime(Day)</query>
          <earliest></earliest>
          <latest></latest>
        </search>
      </table>
     </panel>
  </row>
</dashboard>

I would like to have an item in a cell clicked on and have it perform another sql search and have the results displayed either on a seperate dashboard or on the same dashboard below the previous table

thanks
Hillary

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Just want to make sure I understand. By default, each cell in a table is a clickable value, which will run a refined search using that value. So, for example, if my search is index=_internal introspection | top 10 max_age and one of my result rows has a cell that shows a max_age value of 17, if I click the 17, then Splunk will run the following search: index=_internal introspection max_age=17

Are you asking how to click an item in a table cell and have it run an entirely new search, using a token that takes the value from that cell? You can use the click.value token to achieve this, and the basic contextual drilldown example in the docs should show you how.

You can also download the Dashboard Examples app to see live examples of all these simple XML capabilities.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...