Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Parse value from one panel to another panel in Splunk Dashboard studio

Sudhagar
Loves-to-Learn Everything
‎08-05-2025 10:58 PM

Hello Team,

 

I have a panel which is having table visualization when clicked it has to parse value from this panel to another panel's data source (splunk query) 

I have tried this by putting interaction (set tokens) and used the token value in panel2

Panel 1

      {
            "type": "drilldown.setToken",
            "options": {
                "tokens": [
                    {
                        "token": "event_id",
                        "key": "eventid"
                    }
                ]
            }
        }


Panel2 Datasource (Splunk query)
`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$


JSON
{
    "type": "splunk.table",
    "options": {
        "backgroundColor": "transparent",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",
            "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",
            "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",
            "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"
        }
    },
    "dataSources": {
        "primary": "ds_pRiJzPOh"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}




Labels (1)
Labels
0 Karma
Reply

Sudhagar
Loves-to-Learn Everything
‎08-06-2025 08:08 PM

Hello @livehybrid @PrewinThomas 

Thanks a lot for your valuable replies

i have tried the same but what's happening is , its fetching the values only one time but when clicked other values it's getting pickedup those values. Providing my code for your reference, could you please take a look and provide your guidance on how to solve this


{
    "type": "splunk.table",
    "showProgressBar": false,
    "showLastUpdated": false,
    "dataSources": {
        "primary": "ds_GCK97kyD"
    },
    "options": {
        "backgroundColor": "> themes.defaultBackgroundColor",
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)"
        },
        "font": "monospace",
        "columnFormat": {
            "Severity": {
                "data": "> table | seriesByName(\"Severity\") | formatByType(SeverityColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Severity') | matchValue(SeverityRowColorsEditorConfig)"
            },
            "Sev": {
                "width": 38,
                "data": "> table | seriesByName(\"Sev\") | formatByType(SevColumnFormatEditorConfig)",
                "rowColors": "> table | seriesByName('Sev') | matchValue(SevRowColorsEditorConfig)"
            },
            "Role": {
                "width": 51
            },
            "AlertParams": {
                "width": 223
            },
            "EventID": {
                "width": 63
            },
            "Server": {
                "width": 104
            },
            "Team": {
                "width": 101
            }
        }
    },
    "context": {
        "SeverityColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SeverityRowColorsEditorConfig": [
            {
                "match": 1,
                "value": "#D41F1F"
            },
            {
                "match": 2,
                "value": "#CBA700"
            },
            {
                "match": 3,
                "value": "#118832"
            }
        ],
        "SevColumnFormatEditorConfig": {
            "number": {
                "thousandSeparated": false,
                "unitPosition": "after"
            }
        },
        "SevRowColorsEditorConfig": [
            {
                "match": 2,
                "value": "#D41F1F"
            },
            {
                "match": 1,
                "value": "#CBA700"
            },
            {
                "match": "",
                "value": "#118832"
            }
        ]
    },
    "title": "",
    "eventHandlers": [
        {
            "options": {
                "tokens": [
                    {
                        "key": "row.event_id.value",
                        "token": "eventid"
                    }
                ]
            },
            "type": "drilldown.setToken"
        }
    ]
}

 

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "selected eventid : $eventid$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}



I am using this markdown just to know whether the interaction is working fine or not , but my actual aim is to parse this table's eventid clicked value into below query

`citrix_alerts`
| fields - Component,Alert_type,Country,level,provider,message,alert_time
| search event_id=$eventid$

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-06-2025 02:12 AM

Here is a full working example for your to try:

livehybrid_0-1754471567751.png

 

{
    "title": "TokenSet",
    "description": "",
    "inputs": {
        "input_global_trp": {
            "options": {
                "defaultValue": "-24h@h,now",
                "token": "global_time"
            },
            "title": "Global Time Range",
            "type": "input.timerange"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "earliest": "$global_time.earliest$",
                        "latest": "$global_time.latest$"
                    }
                }
            }
        },
        "visualizations": {
            "global": {
                "showProgressBar": true
            }
        }
    },
    "visualizations": {
        "viz_6cm12FqM": {
            "options": {
                "markdown": "eventid: $eventid$"
            },
            "type": "splunk.markdown"
        },
        "viz_Fba9zdzF": {
            "dataSources": {
                "primary": "ds_60Uo5lG8"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],
            "options": {},
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_60Uo5lG8": {
            "name": "Search_1",
            "options": {
                "query": "| makeresults count=5 \n| streamstats count\n| eval msg=\"Test message\".tostring(count)\n| eval event_id=md5(msg)"
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_global_trp"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto",
                    "height": 960,
                    "width": 1440
                },
                "structure": [
                    {
                        "item": "viz_6cm12FqM",
                        "position": {
                            "h": 40,
                            "w": 360,
                            "x": 20,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_Fba9zdzF",
                        "position": {
                            "h": 120,
                            "w": 1360,
                            "x": 20,
                            "y": 60
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "options": {},
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-06-2025 02:10 AM

Hi @Sudhagar 

The issue here is your "token" field value - it should be either key, value or row.<fieldName>.value, such as:

"eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.event_id.value",
                                "token": "eventid"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                }
            ],

NOT just the field name as you have in your example.

@PrewinThomas Regarding $click.value$ - Doesnt this only apply to classic XML dashboards?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PrewinThomas
Motivator
‎08-06-2025 02:56 AM

@livehybrid Thanks for pointing it out. Yes that apply to classic only. 
@Sudhagar As @livehybrid  mentioned you can use row.event_id.value(For specific field value) or value(for any clicked value) or name(field name of the clicked value) in dsahboard studio.

 

"options": {
"tokens": [
{
"key": "value",
"token": "eventid"
}
]
}

 

0 Karma
Reply

Sudhagar
Loves-to-Learn Everything
‎08-06-2025 12:25 AM

Thanks for the hint @PrewinThomas 
but even after changing it, its not working dynamically whenever we click at panel1
To do the troubleshooting i just put the $event_id$ token in markdown but the clicked value inside panel1 its not showing in markdown as well.
could you please help to share what i am doing wrong or share some reference docs for the same.

{
    "type": "splunk.markdown",
    "options": {
        "markdown": "$event_id$",
        "fontColor": "#ffffff",
        "fontSize": "custom",
        "customFontSize": 25
    },
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}




0 Karma
Reply

PrewinThomas
Motivator
‎08-06-2025 01:02 AM

@Sudhagar 

What's your actual field name? Is it eventid or event_id?.
Also can you test with below(to get your actual clicked value)

 

{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "event_id",
"value": "$click.value$"
}
]
}
}

 

Then use markdown to test

{
"type": "splunk.markdown",
"options": {
"markdown": "**Selected Event ID:** $event_id$",
"fontColor": "#ffffff",
"fontSize": "custom",
"customFontSize": 25
}
}


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PrewinThomas
Motivator
‎08-05-2025 11:10 PM

@Sudhagar 

Your token name is event_id, but in in your query you are referring to key name.

Use,

`citrix_alerts`
| search eventid=$event_id$
| fields - Component,Alert_type,Country,level,provider,message,alert_time

Also make sure the field in Panel 1 is actually named eventid. If it's event_id, update the key accordingly

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...