Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Have a Drilldown affect a Token set in a multi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a Splunk Classic Dashboard. I have a Table Panel at the top of the dashboard that has Top Critical Alerts with the Rule Title in the left column and the number in the right column. I set a drilldown for this table:
<drilldown>
<set token="rule_token">$click.name$</set>
</drilldown>Later on, I have an Event Panel that has a Multiselect:
<input type="multiselect" token="rule_token" searchWhenChanged="true">
<label>Rule</label>
<choice value="*">All Rules</choice>
<default>*</default>
<fieldForLabel>RuleTitle</fieldForLabel>
<fieldForValue>RuleTitle</fieldForValue>
<search>
<query>| tstats count where index=index by RuleTitle</query>
</search>
<prefix>RuleTitle IN (</prefix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>I want the token set in the multiselect to be changed by the drilldown from the Critical Alerts table. For example, if I select the value "Defender Alert" in the Critical Hits table, I want the rule_token in the multiselect to change to Defender Alert. How can I get this to happen?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it like this
<drilldown>
<set token="form.rule_token">$click.name$</set>
</drilldown>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it like this
<drilldown>
<set token="form.rule_token">$click.name$</set>
</drilldown>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! That works! Now, is there a way to select multiple of the values in the table and have multiple values set with the token? So, for example, if the Rules in the Critical Table are "Defender Alert" and "Antivirus Hacktool Detected", and I click on both of them, is there a way to have these both assigned to the token rule_token and appear in the multiselect? Please let me know if that makes sense!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lcguilfoil
To achieve this you can use the following
<drilldown>
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>
</drilldown>Ive updated my previous answer to include this but also see below for working example:
<form version="1.1" theme="light">
<label>AnswersTesting</label>
<fieldset submitButton="false">
<input type="multiselect" token="rule_token" searchWhenChanged="true">
<label>Rule</label>
<choice value="*">All Rules</choice>
<default>*</default>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>| tstats count where index=_internal by host</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<prefix>host IN (</prefix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|tstats count where index=_internal by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>
</drilldown>
</table>
</panel>
</row>
</form>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lcguilfoil
You need to use "form.rule_token" in the set token like this:
<set token="form.rule_token">$click.value$</set>
Updated:
If you want to append to existing selections then use:
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>Here is a full example to demonstrate if it helps
<form version="1.1" theme="light">
<label>AnswersTesting</label>
<fieldset submitButton="false">
<input type="multiselect" token="rule_token" searchWhenChanged="true">
<label>Rule</label>
<choice value="*">All Rules</choice>
<default>*</default>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>| tstats count where index=_internal by host</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<prefix>host IN (</prefix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|tstats count where index=_internal by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>
</drilldown>
</table>
</panel>
</row>
</form>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this work for appending to your dropdown?
@livehybrid wrote:Hi @lcguilfoil
You need to use "form.rule_token" in the set token like this:
<set token="form.rule_token">$click.value$</set>
Updated:
If you want to append to existing selections then use:
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>Here is a full example to demonstrate if it helps
<form version="1.1" theme="light">
<label>AnswersTesting</label>
<fieldset submitButton="false">
<input type="multiselect" token="rule_token" searchWhenChanged="true">
<label>Rule</label>
<choice value="*">All Rules</choice>
<default>*</default>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>| tstats count where index=_internal by host</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<prefix>host IN (</prefix>
<delimiter>,</delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|tstats count where index=_internal by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval>
</drilldown>
</table>
</panel>
</row>
</form>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
