Splunk Search

How do I do a simple drill down from a table?

BobKimata
Path Finder

Splunk newbie here, I have been testing it for a few days already. I can now create searches and dashboards based on saved searches. However, I am having trouble in making 'drill down' to work. I would like a drill down to happen whenever I click in a particular value in a cell. When a user clicks on a cell item say 'Account1' I would like another search performed and the results displayed on the same page.

Any examples will be highly appreciated

Regards
Hillary

0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Have you looked at the documentation topic about drilldowns in the Dashboards and Visualizations manual? It has examples of basic table drilldown as well as dynamic drilldown.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

Have you looked at the documentation topic about drilldowns in the Dashboards and Visualizations manual? It has examples of basic table drilldown as well as dynamic drilldown.

BobKimata
Path Finder

I have gone through the documentation but I cant seem to apply it to my examples. My search is based on an sql query. ie.

<dashboard>
  <label>Account Performance</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| dbquery AdWordsROI limit=1000 "select * from account_performance" |eval Cost="$".round(Cost/1000000,2) |eval CostPerConversion="$".round(CostPerConversion/1000000,2) |eval AverageCPC="$".round(AverageCPC/1000000,2) |eval AveragePosition=round(AveragePosition,2) |convert  timeformat="%d-%m-%y" ctime(Day)</query>
          <earliest></earliest>
          <latest></latest>
        </search>
      </table>
     </panel>
  </row>
</dashboard>

I would like to have an item in a cell clicked on and have it perform another sql search and have the results displayed either on a seperate dashboard or on the same dashboard below the previous table

thanks
Hillary

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Just want to make sure I understand. By default, each cell in a table is a clickable value, which will run a refined search using that value. So, for example, if my search is index=_internal introspection | top 10 max_age and one of my result rows has a cell that shows a max_age value of 17, if I click the 17, then Splunk will run the following search: index=_internal introspection max_age=17

Are you asking how to click an item in a table cell and have it run an entirely new search, using a token that takes the value from that cell? You can use the click.value token to achieve this, and the basic contextual drilldown example in the docs should show you how.

You can also download the Dashboard Examples app to see live examples of all these simple XML capabilities.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...