Re: Classic Dashboard Drilldown Click on a Value a...

lcguilfoil · ‎05-13-2025

Hello! I have a Classic Dashboard in Splunk and I am currently working with an Events pane. I am trying to set a token via drilldown. Here is my code:

<event>
	<search>
		<query>$case_token$ $host_token$ $level_token$ $rule_token$</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="list.drilldown">none</option>
	<option name="list.wrap">1</option>
	<option name="raw.drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<condition field="Channel">
			<set token="channel_token">$click.value$</set>
		</condition>
	</drilldown>
</event>

There's two problems:

1. The token is not being set when I click on the table.

2. The condition to only select from the Channel fields is not working.

Thank you in advance!

yuanliu · ‎05-18-2025

Let me start with the obvious:

Because you are using table in your query, <table /> is the appropriate panel type, not <event/> used in your illustration.
You use drilldown type to be "All", set token to $click.value$ and expect it to take the value of field Channel. That is not how drilldown works. The value should be set to $row.Channel$. (There is another drilldown type "Cell". But if you want to the token to represent Channel, this is inappropriate.)

Here is a complete mock dashboard for you to play with. Wherever you click, the clicked Channel value will be displayed in the panel's title. Play with it and adapt it for your use.

<dashboard version="1.1" theme="light">
  <label>Click to set token</label>
  <description>https://community.splunk.com/t5/Dashboards-Visualizations/Classic-Dashboard-Drilldown-Click-on-a-Value-and-Set-Token/m-p/746080#M58677</description>
  <row>
    <panel>
      <title>Click on any row</title>
      <table>
        <title>Channel in that row should be &gt;$channel_token$&lt;</title>
        <search>
          <query>index = _internal component=* thread_id=*
| rex "^(?&lt;Timestamp&gt;\S+ \S+ \S+)"
| rename component as Channel, log_level as Level, event_message as Details, thread_id as RecordID,
  thread_name as Ruletitle
| table Timestamp Level Channel RecordID Ruletitle Details *</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="channel_token">$row.Channel$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

bowesmana · ‎05-18-2025

@yuanliu Actually the event display type is perfectly fine if the OP wants it - it has very different behaviour to table - and <event> does support a table mode, but it does appear that conditional specific drilldown does not work as the OP describes - using table and fields command gives different behaviour - I did recreate his behaviour where conditional drilldown does NOT work on the Channel field despite it being visible, but cannot reproduce it.

For example, if using the table command in the SPL, if you create any fields AFTER that statement, those fields do not seem to appear in the event table, whereas if you set them before the table command, it shows that column in the table, whereas using the fields command in SPL it makes no difference.

@lcguilfoil I don't have a specific answer, but if you can click on the magnifying class of the event listing so that it opens up the real search in a new window and post that here, that would be useful - you did not post your entire search - not the one in the XML, but the real search as it runs after all the tokens are set.

lcguilfoil · ‎05-19-2025

Hello, and thank you for your help! Here is my what my dashboard looks like now:

<event>
	<search>
		<query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="list.drilldown">none</option>
	<option name="list.wrap">1</option>
	<option name="raw.drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<condition field="Channel">
			<set token="channel_token">$click.value$</set>
		</condition>
	</drilldown>
</event>

Here is what the corresponding search looks like:

index=test-index sourcetype=hayabusa host=* Level=* RuleType=*
| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details

ITWhisperer · ‎05-19-2025

Has this now been solved (as I can't see anything wrong with what you posted - apart from some obvious harmlessly-redundant options)?

lcguilfoil · ‎05-19-2025

It is not solved, thank you for asking!

1. Can you please alert me to what is harmlessly redundant?

2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set Channel to row.Channel), but it doesn't work.

ITWhisperer · ‎05-19-2025

I have a version working with just table.drilldown = all, i.e. list.drilldown and raw.drilldown seem to be redundant. Also, table.drilldown = 1 seems to work.

Which version of Splunk are you using?

lcguilfoil · ‎05-19-2025

I am using Splunk version 9.4.0.

I got rid of the list and raw drilldown options and made sure only table.drilldown was present and set to all. It's still not working.

ITWhisperer · ‎05-19-2025

How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes?

<event>
	<title>$channel_token$</title>
	<search>
		<query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="list.drilldown">none</option>
	<option name="list.wrap">1</option>
	<option name="raw.drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<condition field="Channel">
			<set token="channel_token">$click.value$</set>
		</condition>
	</drilldown>
</event>

lcguilfoil · ‎05-19-2025

I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the event pane.

ITWhisperer · ‎05-19-2025

Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before!

Try updating the form token in your drilldown

<event>
	<title>$channel_token$</title>
	<search>
		<query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="list.drilldown">none</option>
	<option name="list.wrap">1</option>
	<option name="raw.drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<condition field="Channel">
			<set token="form.channel_token">$click.value$</set>
		</condition>
	</drilldown>
</event>

lcguilfoil · ‎05-19-2025

This is what I currently have:

<event>
	<title>$channel_token$</title>
	<search>
		<query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query>
	</search>
	<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
	<option name="count">50</option>
	<option name="refresh.display">progressbar</option>
	<option name="table.drilldown">all</option>
	<option name="table.sortDirect">asc</option>
	<option name="table.wrap">1</option>
	<option name="type">table</option>
	<drilldown>
		<set token="form.channel_token">$click.value$</set>
	</drilldown>
</event>

This does not change the title from $channel_token$ to an actual value.

When you say update, is that different from the "set token" feature?

ITWhisperer · ‎05-19-2025

Can you share the source for the dropdown?

lcguilfoil · ‎05-19-2025

Yes! Here it is:

<input type="multiselect" token="channel_token" searchWhenChanged="true">
	<label>Channel</label>
	<fieldForLabel>Channel</fieldForLabel>
	<fieldForValue>Channel</fieldForValue>
	<search>
		<query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query>
		<earliest>0</earliest>
		<latest></latest>
	</search>
	<delimiter> </delimiter>
	<choice value="*">All Channels</choice>
	<default>*</default>
	<initialValue>*</initialValue>
</input>

ITWhisperer · ‎05-19-2025

This doesn't appear in your "full dashboard code" you post in a previous response. Please clarify which code is in which dashboard?

lcguilfoil · ‎05-19-2025

Hi, I apologize for the confusion -- I updated the code to be complete. Thank you!

isoutamo · ‎05-19-2025

Is it possible that you will share the whole dashboard code?

lcguilfoil · ‎05-19-2025

Hello! Here it is:

<form version="1.1" theme="dark">
  <label>Hayabusa Overview</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="global_time" searchWhenChanged="true">
      <label>Global Time Range</label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
    <input type="dropdown" token="case_token" searchWhenChanged="true">
      <label>Case Selector</label>
      <prefix>index=case_</prefix>
      <suffix>*</suffix>
      <fieldForLabel>case</fieldForLabel>
      <fieldForValue>case</fieldForValue>
      <search>
        <query>| tstats count where index=case_* by index 
| rex field=index "\_(?&lt;case&gt;.*?)\_" 
| dedup case 
| table case</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="multiselect" token="host_token" searchWhenChanged="true">
      <label>Host</label>
      <choice value="*">All Hosts</choice>
      <fieldForLabel>Host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>| tstats count where $case_token$ sourcetype=hayabusa by host
| table host</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <initialValue>*</initialValue>
      <delimiter>, </delimiter>
      <prefix>host IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Top Informational Alerts</title>
        <search>
          <query>| tstats count where $case_token$ sourcetype=hayabusa $host_token$ Level=info by RuleTitle
| sort -count</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <format type="color" field="count">
          <colorPalette type="list">[#65778A,#65778A,#65778A,#65778A,#65778A]</colorPalette>
          <scale type="threshold">0,30,70,100</scale>
        </format>
        <drilldown>
          <set token="form.rule_token">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Hosts By Hits</title>
        <search>
          <query>| tstats count where $case_token$ sourcetype=hayabusa by host
| sort -count</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax"></scale>
        </format>
        <drilldown>
          <set token="form.host_token">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Hayabusa Hits Overview</title>
      <input type="multiselect" token="level_token" searchWhenChanged="true">
        <label>Level</label>
        <choice value="*">All Levels</choice>
        <choice value="info">Info</choice>
        <choice value="low">Low</choice>
        <choice value="med">Medium</choice>
        <choice value="high">High</choice>
        <choice value="crit">Critical</choice>
        <default>*</default>
        <initialValue>*</initialValue>
        <prefix>Level IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>
      </input>
      <input type="multiselect" token="rule_token" searchWhenChanged="true">
        <label>Rule</label>
        <choice value="*">All Rules</choice>
        <default>*</default>
        <initialValue>*</initialValue>
        <fieldForLabel>RuleTitle</fieldForLabel>
        <fieldForValue>RuleTitle</fieldForValue>
        <search>
          <query>| tstats count where $case_token$ $host_token$ sourcetype=hayabusa $level_token$ by RuleTitle
| table RuleTitle</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <prefix>RuleTitle IN (</prefix>
        <suffix>)</suffix>
        <delimiter>,</delimiter>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
      </input>
      <input type="text" token="search_token" searchWhenChanged="true">
        <label>Search</label>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <input type="text" token="exclude_token" searchWhenChanged="true">
        <label>Search (to Exclude)</label>
        <default>Default Value to Exclude</default>
        <initialValue>Default Value to Exclude</initialValue>
      </input>
		<input type="multiselect" token="channel_token" searchWhenChanged="true">
			<label>Channel</label>
			<fieldForLabel>Channel</fieldForLabel>
			<fieldForValue>Channel</fieldForValue>
			<search>
				<query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query>
				<earliest>0</earliest>
				<latest></latest>
			</search>
			<delimiter> </delimiter>
			<choice value="*">All Channels</choice>
			<default>*</default>
			<initialValue>*</initialValue>
		</input>
      <html>
        <p>For <strong>Search</strong> and <strong>Search to Exclude</strong>, delimit with a comma. For example: <strong>term,search phrase</strong>
        </p>
      </html>
		<event>
			<title>$channel_token$</title>
			<search>
				<query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$
		| fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query>
			</search>
			<fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields>
			<option name="count">50</option>
			<option name="refresh.display">progressbar</option>
			<option name="table.drilldown">all</option>
			<option name="table.sortDirect">asc</option>
			<option name="table.wrap">1</option>
			<option name="type">table</option>
			<drilldown>
				<set token="form.channel_token">$click.value$</set>
			</drilldown>
		</event>
    </panel>
  </row>
</form>

bowesmana · ‎05-19-2025

@lcguilfoil

Your event search does not have a time range associated with it, so it will be running an all time search and so when you click the drilldown the search is still running and will not respond to the drilldown

          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>

Add the time range to your event search.

lcguilfoil · ‎05-20-2025

Thank you for the insight! I made this modification on my dashboard. However, the drilldown is still not accurately setting the token.

isoutamo · ‎05-19-2025

Please install that above app into your sh and then add this script part into your dashboard’s first line! After that you don’t need to guess what you have in which token. It just shows all defined tokens with vale’s to you!
Currently I always use it when I have some other token than time picker and one or two other. It really helps you!

Classic Dashboard Drilldown Click on a Value and Set Token

Classic dashboard

drilldown

token

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?