Dashboards & Visualizations

Drill down to absolute URL using click.value


I have a simple table where one column contains a URL. I would like to redirect to that url and if possible in a new window.

like so:


it redirects to the current URL plus $row.link$ 😞
I suspect, that Splunk checks if the link tag starts with http*

1 Solution

Path Finder

this worked for me. no JS required.

<condition field="URL">
<link target="_blank">$click.value2|n$</link>

View solution in original post

New Member

How to achieve this if I want to navigate to a folder path
Consider the result of splunk query
Name| path
Path1 | \abc\p1
Path2 | \abc\p2

I want to click and navigate to the paths .

For weburls i can achieve using $click.value2|n$
But in the case of folders and shared paths how to achieve this???

0 Karma


I found the pipe n needed for it to work for me:

  1. use link tag
  2. $click.value2|n$ -note- pipe n prevents special character escaping

Path Finder

this worked for me. no JS required.

<condition field="URL">
<link target="_blank">$click.value2|n$</link>


I managed to get it work. Both are not the best way, but it works for me.

Convert it yo HTML
Change the below line:-

// var url = TokenUtils.replaceTokenNames("{{SPLUNKWEB_URL_PREFIX}}/app/lionel/$click.value2$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'));
var url = TokenUtils.replaceTokenNames("$click.value2$", _.extend(submittedTokenModel.toJSON(), e.data));

Write a javascript that will accept the full url as a get data, which will redirect to the url.
Here is the redirect javascript:- (eg:- http://mydomain/redirect.html)

    function getParameterByName(name) {
    name = name.replace(/[\[]/, "\\[").replace(/[\]]/, "\\]");
    var regex = new RegExp("[\\?&]" + name + "=([^&#]*)"),
        results = regex.exec(location.search);
    return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
    window.location = getParameterByName("goto");

so now, from the simpleXML of the dashboard, it should look like this:-

    <drilldown target="_blank">
0 Karma

Splunk Employee
Splunk Employee

This behavior is due to purposeful url escaping in the dynamic drilldown feature.

There is an example of using an external link in the Splunk 6.x Dashboard Examples app version 2.0.1 (NB: The external link example is not available in version 1.0 of that app). The page named "Drilldown URL Field Value" provides an example of how to render an external link in a separate clickable column. Below, I'll paste a generic example, using that example's JS as a base, but updating it to make the original column a clickable link to an external page.

In the simple XML, we reference a JavaScript file named drilldown_external_url.js (which should be in the app's appserver/static directory), we add an ID to the table (external_link), and we disable drilldown. Here's the simple XML:

<dashboard script="drilldown_external_url.js">
    <table id="external_link">
      <searchString>| stats count  | eval target="http://splunk.com"</searchString>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">none</option>
      <option name="count">10</option>

We update the JavaScript to reference the table ID (external_link) and the field name's column (target). If the table name or field name is different in your simple XML, be sure to update the JS accordingly. Here is the drilldown_external_url.js

], function(_, $, mvc, TableView) {
    var CustomLinkRenderer = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            return cell.field === 'target';
        render: function($td, cell) {
            var link = cell.value;
            var a = $('<a>').attr("href", cell.value).text(cell.value);

            a.click(function(e) {
              window.location = $(e.currentTarget).attr('href');
              // or for popup:
              // window.open($(e.currentTarget).attr('href'));

        // Get the table view by id
        // Register custom cell renderer
        tableView.table.addCellRenderer(new CustomLinkRenderer());
        // Force the table to re-render

Path Finder

Great answer - works like a charm.

0 Karma

Esteemed Legend

@jhupka, you should click Accept to award him karma.

0 Karma


I am seeing this exact same issue. I am surprised it hasnt been fixed almost a year on.

My row is like this but it still leaves everything encoded

        <title>Asset threats over last 60 days</title>
        <searchString>index=cve-details vendor_id=$vendor_id$ | join vendor_id [ | inputlookup asset-list.csv ] | eval url=urldecode(url) | sort update_date desc | table asset_code, asset_name, vendor_name, cve_id, cwe_name, publish_date, update_date, summary, url</searchString>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
          <option name="count">10</option>
            <link><![CDATA[ $row.url$ ]]></link>

My link ends up looking like this. (not it is still encoded for URLs which is should not be)

So for a row with
url = http://www.cvedetails.com/cve/cve-2013-1763//

The drilldown link is

Is there anyway to get the raw text of the field to be the link?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...