Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Parse value from one panel to another panel in Splunk Dashboard studio

Sudhagar
Loves-to-Learn Everything
‎08-05-2025 10:58 PM

Hello Team,

 

I have a panel which is having table visualization when clicked it has to parse value from this panel to another panel's data source (splunk query) 

I have tried this by putting interaction (set tokens) and used the token value in panel2

Panel 1

      {
            "type": "drilldown.setToken",
            "options": {
                "tokens": [
                    {
                        "token": "event_id",
                        "key": "eventid"
                    }
                ]
            }
        }


Panel2 Datasource (Splunk query)
`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$


JSON
{
    "type": "splunk.table",
    "options": {
        "backgroundColor": "transparent",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",
            "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",
            "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",
            "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"
        }
    },
    "dataSources": {
        "primary": "ds_pRiJzPOh"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}




Labels (1)
Labels
0 Karma
Reply

Sudhagar
Loves-to-Learn Everything
‎08-06-2025 08:08 PM

Hello @livehybrid @PrewinThomas 

Thanks a lot for your valuable replies

i have tried the same but what's happening is , its fetching the values only one time but when clicked other values it's getting pickedup those values. Providing my code for your reference, could you please take a look and provide your guidance on how to solve this


{
    "type": "splunk.table",
    "showProgressBar": false,
    "showLastUpdated": false,
    "dataSources": {
        "primary": "ds_GCK97kyD"
    },
    "options": {
        "backgroundColor": "> themes.defaultBackgroundColor",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)"
        },
        "font": "monospace",
        "columnFormat": {
            "Severity": {
                "data": "> table | seriesByName(\"Severity\") | formatByType(SeverityColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Severity') | matchValue(SeverityRowColorsEditorConfig)"
            },
            "Sev": {
                "width": 38,
                "data": "> table | seriesByName(\"Sev\") | formatByType(SevColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Sev') | matchValue(SevRowColorsEditorConfig)"
            },
            "Role": {
                "width": 51
            },
            "AlertParams": {
                "width": 223
            },
            "EventID": {
                "width": 63
            },
            "Server": {
                "width": 104
            },
            "Team": {
                "width": 101
            }
        }
    },
    "context": {
        "SeverityColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SeverityRowColorsEditorConfig": [
            {
                "match": 1,
                "value": "#D41F1F"
            },
            {
                "match": 2,
                "value": "#CBA700"
            },
            {
                "match": 3,
                "value": "#118832"
            }
        ],
        "SevColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SevRowColorsEditorConfig": [
            {
                "match": 2,
                "value": "#D41F1F"
            },
            {
                "match": 1,
                "value": "#CBA700"
            },
            {
                "match": "",
                "value": "#118832"
            }
        ]
    },
    "title": "",
    "eventHandlers": [
        {
            "options": {
                "tokens": [
                    {
                        "key": "row.event_id.value",
                        "token": "eventid"
                    }
                ]
            },
            "type": "drilldown.setToken"
        }
    ]
}

 

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "selected eventid : $eventid$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}



I am using this markdown just to know whether the interaction is working fine or not , but my actual aim is to parse this table's eventid clicked value into below query

`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-06-2025 02:12 AM

Here is a full working example for your to try:

livehybrid_0-1754471567751.png

 

{
    "title": "TokenSet",
    "description": "",
    "inputs": {
        "input_global_trp": {
            "options": {
                "defaultValue": "-24h@h,now",
                "token": "global_time"
            },
            "title": "Global Time Range",
            "type": "input.timerange"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "earliest": "$global_time.earliest$",
                        "latest": "$global_time.latest$"
                    }
                }
            }
        },
        "visualizations": {
            "global": {
                "showProgressBar": true
            }
        }
    },
    "visualizations": {
        "viz_6cm12FqM": {
            "options": {
                "markdown": "eventid: $eventid$"
            },
            "type": "splunk.markdown"
        },
        "viz_Fba9zdzF": {
            "dataSources": {
                "primary": "ds_60Uo5lG8"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],
            "options": {},
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_60Uo5lG8": {
            "name": "Search_1",
            "options": {
                "query": "| makeresults count=5 \n| streamstats count\n| eval msg=\"Test message\".tostring(count)\n| eval event_id=md5(msg)"
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_global_trp"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto",
                    "height": 960,
                    "width": 1440
                },
                "structure": [
                    {
                        "item": "viz_6cm12FqM",
                        "position": {
                            "h": 40,
                            "w": 360,
                            "x": 20,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_Fba9zdzF",
                        "position": {
                            "h": 120,
                            "w": 1360,
                            "x": 20,
                            "y": 60
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "options": {},
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-06-2025 02:10 AM

Hi @Sudhagar 

The issue here is your "token" field value - it should be either key, value or row.<fieldName>.value, such as:

"eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],

NOT just the field name as you have in your example.

@PrewinThomas Regarding $click.value$ - Doesnt this only apply to classic XML dashboards?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PrewinThomas
Motivator
‎08-06-2025 02:56 AM

@livehybrid Thanks for pointing it out. Yes that apply to classic only. 
@Sudhagar As @livehybrid  mentioned you can use row.event_id.value(For specific field value) or value(for any clicked value) or name(field name of the clicked value) in dsahboard studio.

 

"options": {
"tokens": [
{
"key": "value",
"token": "eventid"
}
]
}

 

0 Karma
Reply

Sudhagar
Loves-to-Learn Everything
‎08-06-2025 12:25 AM

Thanks for the hint @PrewinThomas 
but even after changing it, its not working dynamically whenever we click at panel1
To do the troubleshooting i just put the $event_id$ token in markdown but the clicked value inside panel1 its not showing in markdown as well.
could you please help to share what i am doing wrong or share some reference docs for the same.

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "$event_id$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}




0 Karma
Reply

PrewinThomas
Motivator
‎08-06-2025 01:02 AM

@Sudhagar 

What's your actual field name? Is it eventid or event_id?.
Also can you test with below(to get your actual clicked value)

 

{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "event_id",
"value": "$click.value$"
}
]
}
}

 

Then use markdown to test

{
"type": "splunk.markdown",
"options": {
"markdown": "**Selected Event ID:** $event_id$",
"fontColor": "#ffffff",
"fontSize": "custom",
"customFontSize": 25
}
}


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PrewinThomas
Motivator
‎08-05-2025 11:10 PM

@Sudhagar 

Your token name is event_id, but in in your query you are referring to key name.

Use,

`citrix_alerts`
| search eventid=$event_id$
| fields - Component,Alert_type,Country,level,provider,message,alert_time

Also make sure the field in Panel 1 is actually named eventid. If it's event_id, update the key accordingly

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...