Archive
Highlighted

How do I do a simple drill down from a table?

Path Finder

Splunk newbie here, I have been testing it for a few days already. I can now create searches and dashboards based on saved searches. However, I am having trouble in making 'drill down' to work. I would like a drill down to happen whenever I click in a particular value in a cell. When a user clicks on a cell item say 'Account1' I would like another search performed and the results displayed on the same page.

Any examples will be highly appreciated

Regards
Hillary

0 Karma
Highlighted

Re: How do I do a simple drill down from a table?

Splunk Employee
Splunk Employee

Have you looked at the documentation topic about drilldowns in the Dashboards and Visualizations manual? It has examples of basic table drilldown as well as dynamic drilldown.

View solution in original post

Highlighted

Re: How do I do a simple drill down from a table?

Path Finder

I have gone through the documentation but I cant seem to apply it to my examples. My search is based on an sql query. ie.

<dashboard>
  <label>Account Performance</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| dbquery AdWordsROI limit=1000 "select * from account_performance" |eval Cost="$".round(Cost/1000000,2) |eval CostPerConversion="$".round(CostPerConversion/1000000,2) |eval AverageCPC="$".round(AverageCPC/1000000,2) |eval AveragePosition=round(AveragePosition,2) |convert  timeformat="%d-%m-%y" ctime(Day)</query>
          <earliest></earliest>
          <latest></latest>
        </search>
      </table>
     </panel>
  </row>
</dashboard>

I would like to have an item in a cell clicked on and have it perform another sql search and have the results displayed either on a seperate dashboard or on the same dashboard below the previous table

thanks
Hillary

0 Karma
Highlighted

Re: How do I do a simple drill down from a table?

Splunk Employee
Splunk Employee

Just want to make sure I understand. By default, each cell in a table is a clickable value, which will run a refined search using that value. So, for example, if my search is index=_internal introspection | top 10 max_age and one of my result rows has a cell that shows a maxage value of 17, if I click the 17, then Splunk will run the following search: `index=internal introspection max_age=17`

Are you asking how to click an item in a table cell and have it run an entirely new search, using a token that takes the value from that cell? You can use the click.value token to achieve this, and the basic contextual drilldown example in the docs should show you how.

You can also download the Dashboard Examples app to see live examples of all these simple XML capabilities.

0 Karma