@rwardwell @ak9092 how about something like this? You have to ensure that Dashboard search for drilldown has raw events only using purely streaming command.
<dashboard>
<label>Table with Show Source Drilldown</label>
<search>
<query>| makeresults
| eval app="$env:app$"</query>
<done>
<set token="app">$result.app$</set>
</done>
</search>
<row>
<panel>
<table>
<search>
<done>
<set token="sid">$job.sid$</set>
</done>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| fields _time log_level _raw
| head 50</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">http://localhost:8000/en-US/app/$app$/show_source?sid=$sid|n$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
