Solved: How to drilldown on a table that uses display valu...

DaClyde · ‎11-29-2017

I have a dashboard with two levels of drilldowns. The first dashboard is a list of servers. Click on a server name and it gives you a list of that server's clients. Click on a client name and it shows you information from that client.

What I want to do is use a lookup to show a "friendly name" (like a business unit or division) instead of the actual server name. The problem I run into is that now the "friendly name" is what gets passed on as the $click.value$ to the client list. How can I display a "friendly name" but still have the drilldown use the original server name value on the drill down?

martin_mueller · ‎06-04-2018

Rename the ugly field to _uglyfield, and use $row._uglyfield$ in your drilldown. The underscore will make the table hide the field.

View solution in original post

martin_mueller · ‎06-04-2018

Rename the ugly field to _uglyfield, and use $row._uglyfield$ in your drilldown. The underscore will make the table hide the field.

martin_mueller · ‎06-05-2018

Not sure if it exists explicitly, but implicitly somewhere by stating that underscore fields are internal/hidden... Feel free to leave docs feedback in the dashboarding docs.

DaClyde · ‎06-05-2018

Beautiful, that worked perfectly! Where is that little nugget in the documentation?

somesoni2 · ‎11-29-2017

If you're using table visualization, you can have your search query to have both actual server name as well as friendly name, but use <fields> element to display only the friendly name. The actual server name will still be available at drilldown. You would've to use $row.fieldnameforActualServer$ instead of $click.value$ . See this

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#table

DaClyde · ‎06-04-2018

It has been awhile, but I'm back working on this. If I don't include the servername field in the <fields> list, it isn't passed in the drill down. If I include it in the <fields> list it shows up in the search results, but the drill down works.

What am I missing? How do I make the servername field available, but not visible in the initial results table?

somesoni2 · ‎06-04-2018

Other option you've is, pass the "Friendly name" to drilldown/client search, and then where you're using host filter (earlier when you were using host name), use a subsearch which uses that friendly name to fetch host names from the lookup. E.g.

Server List query:

| inputlookup yourlookup.csv | table FriendlyNameCol, hostNameCol | stats count by FriendlyNameCol | table FriendlyNameCol

When clicked it'll pass FriendlyNameCol value as $click.value$ .

Client List query:

index=foo sourcetype=bar [ | inputlookup yourlookup.csv | where FriendlyNameCol="$drilldownToken$" | table hostNameCol] | .. rest of the search

DaClyde · ‎06-17-2021

3 years later, I'm finally getting around to using this and it works great. Thanks!

How to drilldown on a table that uses display values from a lookup

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to drilldown on a table that uses display values from a lookup

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...