Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard drilldown should pick clicked time range not token time range

splunklearner
Communicator
‎07-23-2025 11:46 AM

I created a summary index to call it in dashboard because it has so much data and need to run for larger time frames.

Configured summary index in this way -

<my search query>
----
----
----
| eval log_datetime=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| rename log_datetime AS "Time (UTC)"
|table _time, "Time (UTC)", <wanted fields>
| collect index=sony_summary

Now calling it in one of my dashboard panel in this way - 

index=sony_summary sourcetype=stash
|search <passed drop-down tokens>
|sort 0 -"Time (UTC)"
| table  "Support ID","Time (UTC)", _time --------

 Now my requirement is I don't want users to see this summary index data. So I have created a drilldown and linked to different search as below. Whenever they click on any field value in table, new search will be opened with clicked support_id

 

<earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
<!-- Drilldown Configuration -->
        <!-- Enable row-level drilldown -->
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs
support_id="$click.value$"&amp;earliest=$time_range.earliest$&amp;latest=$time_range.latest</link>
        </drilldown>

 

Now when I click on dashboard panel's field, it is opening with expected support_id as expected, but it is opening with token time range. I am expecting that this should return the particular time range at what time event indexed as per Time (UTC) or _time. Example - An event has support ID with time 07:00 am, when I click on it it should open for 7 am, but it is taking token time range.

When I checked in chatgpt, it given in following one and modified it in this way.

<table id="myTable">
<search>
<query>index=sony_summary sourcetype=stash
|search <passed drop-down tokens>
|sort 0 -"Time (UTC)"

|eval epoch_time=_time, epoch_plus60=_time+60 (added this now)
| table  "Support ID","Time (UTC)", _time -------- , epoch_time, epoch_plus60</query>

</search>

 <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
<!-- Drilldown Configuration -->
        <!-- Enable row-level drilldown -->
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs
support_id="$click.value$"&amp;earliest=$row.epoch_time$&amp;latest=$row.epoch_plus60</link>
        </drilldown>

Now this is working fine and time range is also coming what I clicked on. but here the issue is I don't want these two new fields - epoch_time, epoch_plus60 to be visible in dashboard. These should get hided completely but still drilldown should work as expected. What to do here? Please suggest me. Am I missing anything? Even if I keep those fields in the last in panel, still my manager said hide it but it should work as expected.

Labels (4)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-23-2025 04:46 PM

just use the <fields> element in your <table> to restrict what fields are shown in the table. All other fields are still available for drilldown with $row.x$

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#table

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 12:56 PM

Further to my last reply, I've tested with the following which I think does what you need 🙂

<form version="1.1">
  <label>Testing</label>
  <row>
    <panel>
      <title>Support cases</title>
<table id="myTable">
<search>
<query>index=_internal | head 3
| eval "Time (UTC)"=_time

| eval "Support ID"="Testing"
|eval _epoch_time=_time, _epoch_plus60=_time+60
| table  "Support ID","Time (UTC)", _time, _epoch_time, _epoch_plus60</query>


 <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
<!-- Drilldown Configuration -->
        <!-- Enable row-level drilldown -->
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$row._epoch_time$&amp;latest=$row._epoch_plus60$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 12:46 PM

Hi @splunklearner 

If you prefix those epoch fields with an underscore _ then it wont show up in the Table, but you can still reference it as a token. 
Try the following:

<table id="myTable">
<search>
<query>index=sony_summary sourcetype=stash
|search <passed drop-down tokens>
|sort 0 -"Time (UTC)"

|eval _epoch_time=_time, _epoch_plus60=_time+60 (added this now)
| table  "Support ID","Time (UTC)", _time -------- , _epoch_time, _epoch_plus60</query>

</search>

 <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
<!-- Drilldown Configuration -->
        <!-- Enable row-level drilldown -->
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs
support_id="$click.value$"&amp;earliest=$row._epoch_time$&amp;latest=$row._epoch_plus60</link>
        </drilldown>
... etc...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...