Re: Classic Dashboard Drilldown Click on a Value a... - Page 2

lcguilfoil · ‎05-13-2025

Hello! I have a Classic Dashboard in Splunk and I am currently working with an Events pane. I am trying to set a token via drilldown. Here is my code:

<event>
	<search>
		<query>$case_token$ $host_token$ $level_token$ $rule_token$</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="list.drilldown">none</option>
	<option name="list.wrap">1</option>
	<option name="raw.drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<condition field="Channel">
			<set token="channel_token">$click.value$</set>
		</condition>
	</drilldown>
</event>

There's two problems:

1. The token is not being set when I click on the table.

2. The condition to only select from the Channel fields is not working.

Thank you in advance!

bowesmana · ‎05-13-2025

Can you fully expand an example of the search. I assume Channel a visible field in the event list? Have you explicitly specified Channel as a field in the SPL?

lcguilfoil · ‎05-14-2025

Hi! Yes, here is the complete search:

$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
| table Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details, *

Channel is added as a field in the table command, as well as specified in the code:

<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTItle, Details</fields>

bowesmana · ‎05-14-2025

There's something odd in the interaction between the <event> display and the table command and the fields control. I have an example dashboard, which does this search

index=_internal user=*
| table _time index sourcetype user *
| eval Channel=user

Yet the Channel column is not even shown, even though it is in the <fields> statement.

If I change the table to a fields statement or remove it completely, it works.

Is there any reason you are adding the table command there? It doesn't really serve any purpose, as you are controlling display with the <fields> statement.

lcguilfoil · ‎05-15-2025

Hi! Thank you for your response. When I take out the table command, only the _time, host, Level, and RuleTitle fields show up. The fields I have included in <fields></fields> don't all show up.

bowesmana · ‎05-15-2025

I believe (although I rarely use the event visualisation) that you must specify a

| fields a b c...

in your SPL to get fields from the event to show up in the event panel as fields. The XML <fields> element is used as a way to limit the display of the available fields from the search, so in order to get those fields there in the first place, you must use the SPL fields command to specify fields you want.

Using the table command is not the right way

lcguilfoil · ‎05-16-2025

Thank you! I changed from the table command to the fields command.

When I tried to use a drilldown again (set host_token = $row.host$), it still didn't work...any ideas?

isoutamo · ‎05-13-2025

You can start with this app https://classic.splunkbase.splunk.com/app/1603/

WIth it you can see some examples how you should play with tokens and then try those with your own dashboard.

Here is one UG presentation how to use tokens etc. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf

lcguilfoil · ‎05-13-2025

Hi! Thank you for the resources! I have been reviewing them, as well as doing other search. I still am unsure, so any specific help you can offer is appreciated.

isoutamo · ‎05-19-2025

Have you add this

... script="simple_xml_examples:showtokens.js"

into your <form … > line?

With this addition you can see all defined tokens and their values.

Of course you must 1st install this app.

isoutamo · ‎05-13-2025

Can you post these tokens?
$case_token$ $host_token$ $level_token$ $rule_token$

lcguilfoil · ‎05-13-2025

Yes! The token are made like this. Here are some examples. These tokens are working correctly.

<input type="dropdown" token="case_token" searchWhenChanged="true">
	<label>Case Selector</label>
	<fieldForLabel>case</fieldForLabel>
	<fieldForValue>case</fieldForValue>
	<search>
		<query>| tstats count where index=string* by index
		| table index
		</query>
	</search>
</input>

<input type="multiselect" token="host_token" searchWhenChanged="true">
	<label>Host</label>
	<fieldForLabel>Host</fieldForLabel>
	<fieldForValue>host</fieldForValue>
	<search>
		<query>| tstats count where $case_token$ by host |table host</query>
	</search>
</input>

What isn't working is the creation of the $channel_token$ made with the drilldown. I think it might be because I'm using an event pane and not a table pane.

Classic Dashboard Drilldown Click on a Value and Set Token

Classic dashboard

drilldown

token

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation