https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351201#M22881 <P>Hi ,</P> <P>So, I have a dashboard containing search query like :</P> <P>search query | stats max(field1) by field2</P> <P>but when I want to see the events for a particular point it leads me to all results for field1 rather than the showing events for field1= max(field1) and field2=result2(selected point for).</P> <P>Any suggestions, please?</P> Fri, 20 Apr 2018 10:25:17 GMT pratibha2018 2018-04-20T10:25:17Z https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351201#M22881 <P>Hi ,</P> <P>So, I have a dashboard containing search query like :</P> <P>search query | stats max(field1) by field2</P> <P>but when I want to see the events for a particular point it leads me to all results for field1 rather than the showing events for field1= max(field1) and field2=result2(selected point for).</P> <P>Any suggestions, please?</P> Fri, 20 Apr 2018 10:25:17 GMT https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351201#M22881 pratibha2018 2018-04-20T10:25:17Z https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351202#M22882 <P>Try the following Run anywhere dashboard example based on Splunk's _internal index. It passes on the value of <CODE>max(date_seconds)</CODE> to a new search (using predefined drilldown token <CODE>$click.value2$</CODE>) which opens in new window.</P> <PRE><CODE>&lt;form&gt; &lt;label&gt;Max Field Value for Drilldown&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="time" token="tokTime" searchWhenChanged="true"&gt; &lt;label&gt;&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_internal sourcetype=splunkd log_level=* | stats max(date_second) as date_second by log_level&lt;/query&gt; &lt;earliest&gt;$tokTime.earliest$&lt;/earliest&gt; &lt;latest&gt;$tokTime.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;20&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;cell&lt;/option&gt; &lt;option name="percentagesRow"&gt;false&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="totalsRow"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;drilldown&gt; &lt;link target="_blank"&gt;search?q=index=_internal sourcetype=splunkd log_level=* date_second="$click.value2$"&amp;amp;earliest=$tokTime.earliest$&amp;amp;latest=$tokTime.latest$&lt;/link&gt; &lt;/drilldown&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Tue, 29 Sep 2020 19:05:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351202#M22882 niketn 2020-09-29T19:05:27Z https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351203#M22883 <P>This works.</P> <P>Thanks, @niketnilay!</P> Mon, 23 Apr 2018 05:27:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/point-to-events-for-aggregate-functions/m-p/351203#M22883 pratibha2018 2018-04-23T05:27:39Z