Yeah, it goes by the table returned by the timechart command.

$click.name$ returns the name of the field on the X-axis (probably _time), $click.name2$ returns the name of the field on the Y-axis (your series).

Understood, but like I said, the name of the field is "Status", yet the click returns the value, which is "Abandoned". Oh , I think I get it. The "by Status" casts the status values as fields that contain counts as values.

My brain has expanded.

That worked great, thanks, but I don't understand how it worked. I had read the document you referred me to before posting this, and it was my understanding that click.name returned the name of the field ("Status"). Yet in this case it has returned the value ("Abandoned").

Can you help me understand the workings in this case? Thanks.

Another thing, if you would be so kind.

In the main dashboard I have this drilldown code:

<link>
<![CDATA[
/app/SPSearchData/drilldown_search_and_results?status=$click.name2$&earliest=$earliest$&latest=$latest$
]]>
</link>
</drilldown>
My intent is to also send the timestamp.

The receiving form looks like this:
`
Drilldown Search and Results

<input type="dropdown" token="status" searchWhenChanged="true">
  <label>Status</label>
  <choice value="Abandoned">Abandoned</choice>
  <choice value="Clicked">Successful</choice>
</input>


<panel>
  <table>
    <searchString>sourcetype=sp:2013:search host=apset0725 Status=$status$ |eval lowerQuery=lower(Query) |stats values(ResultsEncoded) as Results by lowerQuery

|rex field=Results max_match=10 "(?<encoded>\d.+?)|"
|fields - Results
|mvexpand encoded
|rex field=encoded "(?<rank>\d+)##\d+..+(?<doc>http.+?)#"
|fields - encoded
|eval rank=rank+1
|sort lowerQuery rank
|dedup lowerQuery doc rank
| stats list(rank) as Rank,list(doc) as Documents by lowerQuery
|rename lowerQuery as "Query String (normalized)"

`

When I click the timechart, my $status$ variable is set just fine, but $earliest$ and $latest do not work properly.

Advice?

Make sure the earliestTime and latestTime tags in the receiving form actually use tokens passed from the other form. Ideally you'd add a time range picker to the receiving form as well, to let the value passed from the other form be the default but also to allow the user to fiddle with it.

Got it working! but now I want to display it in something other than Epoch time. I have a separate question on the matter at https://answers.splunk.com/answers/188890/convert-epoch-time-from-drilldown-parameter.html. Look forward to any help on it!