Re: How to Parse value from one panel to another p...

Sudhagar · ‎08-05-2025

Hello Team,

I have a panel which is having table visualization when clicked it has to parse value from this panel to another panel's data source (splunk query)

I have tried this by putting interaction (set tokens) and used the token value in panel2

Panel 1

      {
            "type": "drilldown.setToken",
            "options": {
                "tokens": [
                    {
                        "token": "event_id",
                        "key": "eventid"
                    }
                ]
            }
        }


Panel2 Datasource (Splunk query)
`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$


JSON
{
    "type": "splunk.table",
    "options": {
        "backgroundColor": "transparent",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",
            "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",
            "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",
            "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"
        }
    },
    "dataSources": {
        "primary": "ds_pRiJzPOh"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}

Sudhagar · ‎08-06-2025

Hello @livehybrid @PrewinThomas

Thanks a lot for your valuable replies

i have tried the same but what's happening is , its fetching the values only one time but when clicked other values it's getting pickedup those values. Providing my code for your reference, could you please take a look and provide your guidance on how to solve this

{
    "type": "splunk.table",
    "showProgressBar": false,
    "showLastUpdated": false,
    "dataSources": {
        "primary": "ds_GCK97kyD"
    },
    "options": {
        "backgroundColor": "> themes.defaultBackgroundColor",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)"
        },
        "font": "monospace",
        "columnFormat": {
            "Severity": {
                "data": "> table | seriesByName(\"Severity\") | formatByType(SeverityColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Severity') | matchValue(SeverityRowColorsEditorConfig)"
            },
            "Sev": {
                "width": 38,
                "data": "> table | seriesByName(\"Sev\") | formatByType(SevColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Sev') | matchValue(SevRowColorsEditorConfig)"
            },
            "Role": {
                "width": 51
            },
            "AlertParams": {
                "width": 223
            },
            "EventID": {
                "width": 63
            },
            "Server": {
                "width": 104
            },
            "Team": {
                "width": 101
            }
        }
    },
    "context": {
        "SeverityColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SeverityRowColorsEditorConfig": [
            {
                "match": 1,
                "value": "#D41F1F"
            },
            {
                "match": 2,
                "value": "#CBA700"
            },
            {
                "match": 3,
                "value": "#118832"
            }
        ],
        "SevColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SevRowColorsEditorConfig": [
            {
                "match": 2,
                "value": "#D41F1F"
            },
            {
                "match": 1,
                "value": "#CBA700"
            },
            {
                "match": "",
                "value": "#118832"
            }
        ]
    },
    "title": "",
    "eventHandlers": [
        {
            "options": {
                "tokens": [
                    {
                        "key": "row.event_id.value",
                        "token": "eventid"
                    }
                ]
            },
            "type": "drilldown.setToken"
        }
    ]
}

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "selected eventid : $eventid$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}

I am using this markdown just to know whether the interaction is working fine or not , but my actual aim is to parse this table's eventid clicked value into below query

`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$

livehybrid · ‎08-06-2025

Here is a full working example for your to try:

{
    "title": "TokenSet",
    "description": "",
    "inputs": {
        "input_global_trp": {
            "options": {
                "defaultValue": "-24h@h,now",
                "token": "global_time"
            },
            "title": "Global Time Range",
            "type": "input.timerange"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "earliest": "$global_time.earliest$",
                        "latest": "$global_time.latest$"
                    }
                }
            }
        },
        "visualizations": {
            "global": {
                "showProgressBar": true
            }
        }
    },
    "visualizations": {
        "viz_6cm12FqM": {
            "options": {
                "markdown": "eventid: $eventid$"
            },
            "type": "splunk.markdown"
        },
        "viz_Fba9zdzF": {
            "dataSources": {
                "primary": "ds_60Uo5lG8"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],
            "options": {},
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_60Uo5lG8": {
            "name": "Search_1",
            "options": {
                "query": "| makeresults count=5 \n| streamstats count\n| eval msg=\"Test message\".tostring(count)\n| eval event_id=md5(msg)"
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_global_trp"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto",
                    "height": 960,
                    "width": 1440
                },
                "structure": [
                    {
                        "item": "viz_6cm12FqM",
                        "position": {
                            "h": 40,
                            "w": 360,
                            "x": 20,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_Fba9zdzF",
                        "position": {
                            "h": 120,
                            "w": 1360,
                            "x": 20,
                            "y": 60
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "options": {},
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

livehybrid · ‎08-06-2025

Hi @Sudhagar

The issue here is your "token" field value - it should be either key, value or row.<fieldName>.value, such as:

"eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],

NOT just the field name as you have in your example.

@PrewinThomas Regarding $click.value$ - Doesnt this only apply to classic XML dashboards?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

PrewinThomas · ‎08-06-2025

@livehybrid Thanks for pointing it out. Yes that apply to classic only.
@Sudhagar As @livehybrid mentioned you can use row.event_id.value(For specific field value) or value(for any clicked value) or name(field name of the clicked value) in dsahboard studio.

"options": {
"tokens": [
{
"key": "value",
"token": "eventid"
}
]
}

Sudhagar · ‎08-06-2025

Thanks for the hint @PrewinThomas
but even after changing it, its not working dynamically whenever we click at panel1
To do the troubleshooting i just put the $event_id$ token in markdown but the clicked value inside panel1 its not showing in markdown as well.
could you please help to share what i am doing wrong or share some reference docs for the same.

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "$event_id$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}

PrewinThomas · ‎08-06-2025

@Sudhagar

What's your actual field name? Is it eventid or event_id?.
Also can you test with below(to get your actual clicked value)

{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "event_id",
"value": "$click.value$"
}
]
}
}

Then use markdown to test

{
"type": "splunk.markdown",
"options": {
"markdown": "**Selected Event ID:** $event_id$",
"fontColor": "#ffffff",
"fontSize": "custom",
"customFontSize": 25
}
}

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

PrewinThomas · ‎08-05-2025

@Sudhagar

Your token name is event_id, but in in your query you are referring to key name.

Use,

`citrix_alerts`
| search eventid=$event_id$
| fields - Component,Alert_type,Country,level,provider,message,alert_time

Also make sure the field in Panel 1 is actually named eventid. If it's event_id, update the key accordingly

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

How to Parse value from one panel to another panel in Splunk Dashboard studio

Dashboard Studio

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to Parse value from one panel to another panel in Splunk Dashboard studio

Dashboard Studio

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard