Is dashboard studio preferred over simple xml?

It depends what you weight. Splunk's strategic direction is Dashboard Studio — that's where new visualization work and feature investment go, and it's what Splunk steers new users toward. Simple XML is still fully supported and not deprecated, so existing dashboards aren't going anywhere.

The practical catch for your use case: Simple XML still has a couple of drilldown capabilities Dashboard Studio doesn't replicate cleanly, and conditional drilldown is the big one. More on that below.

Capturing the clicked column name

Yes, this works in Dashboard Studio. As of 9.4, the table visualization supports predefined drilldown tokens where you choose an event of either name, value, or row.<fieldname>.value — and "name" is the field name of the value/location clicked. So clicking a cell in your ERRORS column gives you name = "ERRORS", and the WARNINGS column gives name = "WARNINGS". That's the column-detection you're after. Splunk

You'd configure it under the Interactions section of the visualization's config panel, or directly in JSON:

"eventHandlers": [
  {
    "type": "drilldown.setToken",
    "options": {
      "tokens": [
        { "token": "clicked_col", "key": "name" },
        { "token": "clicked_val", "key": "value" }
      ]
    }
  }
]

After a click, $clicked_col$ holds "ERRORS" or "WARNINGS" and $clicked_val$ holds the cell's value. Your detail table's search then consumes them, e.g.:

index=your_index | search severity="$clicked_col$"

If the column label doesn't match the raw field value, you map it in SPL with an eval/case rather than needing two tokens.

Where you'll feel the difference is your phrasing about setting either `ERRORSERRORS ERRORS` or `WARNINGSWARNINGS WARNINGS` depending on the column. Simple XML does this natively with <condition match="..."> blocks that set one token and unset others. Dashboard Studio's drilldown.setToken has no equivalent conditional matcher - this is a long-standing gap that trips people up. You can't say "if column is ERRORS, set this token; else set that one" inside the event handler.

So you have two realistic paths:

The Dashboard Studio way — set a single token to the column name (as above) and do all the branching in SPL with eval ... case() or if(). This is clean and is how most people handle it in Studio. One token, logic lives in the search.

The Simple XML way — if you genuinely need separate $ERRORS$ and $WARNINGS$ tokens set/unset conditionally (e.g., to show/hide whole panels), Simple XML's <condition match="'click.name2'==\"ERRORS\""> pattern is more direct and less fiddly.

My suggestion: build it in Dashboard Studio with the single clicked_col token and branch in SPL. You keep Splunk's preferred platform and avoid the one feature it's missing. Only fall back to Simple XML if you specifically need conditional token unsetting for panel visibility that's awkward to drive from a single token.