@ITWhisperer 

I have extracted all the fields I required :

ndex="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

Currently I am showing in Bar chart for totalInputRecordsCount and totalOutputRecordsCount

I want on click of totalOutputRecordsCount it should show nonFinChargeAccounts and finChargeAccounts

Can you please guide here

Your drilldown should use $click.value$ to get the value from the first column (_time) and use that to filter your search for events.

@ITWhisperer 

I don't want _time to be displayed I want $click.value$ on OutputRecordfields

Can you please guide me with the query I need to show that.

If you don't want _time displayed, remove it from the list of fields once you have filtered the search.

Please share what you currently have in your drilldown definition and panel searches.

@ITWhisperer 

My current query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount 

I am showing these two totalInputRecordsCount totalOutputRecordsCount  in bar chart 

I want on click of totalOutputRecordsCount I want to show nonFinChargeAccounts and finChargeAccounts

Please guide

The panel you are drilling down from i.e. the bar chart panel, should set the busDate token based on $click.value$ and the panel you are drilling down to should use the $busDate$ token to filter its search

@ITWhisperer 

I want on click of totalOutputRecordsCount   I need to fin charge and non fin charge

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="selected_value1">$click.value1$</set>
</drilldown>

@ITWhisperer  Can you please guide me with code here as I need to add it in panel today

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

@ITWhisperer 

My Main panel query is below:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

Apart from that my drill down panel is as below:

<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>

@ITWhisperer its not working please guide.

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

@ITWhisperer 

This is my main query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

Now on totalOutputRecordsCount I want a drill down panel to be open and show nonFinChargeAccounts and finChargeAccounts

This is my drill down panel:

row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

@ITWhisperer not sure how to display it.

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

To put it another way, if you wanted to change the search in the second panel so it only kept events for a specific time, how would you do that?

@ITWhisperer 

Is this drill down panel correct

<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table _time  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

Not sure @ITWhisperer  Can you please guide me I need to show it today.

No - all you have done is add a field name to the table command - the field name you have added will be the value of the token which (when you get the drilldown sorted out) would be a time value in seconds. What I think you want to do is filter the event returned by the search so that they only include the events with a time value matching the value in the token. Is that correct?

@ITWhisperer 

In my main panel I am showing two filed in bar chart format 

totalInputRecordsCount and totalOutputRecordsCount

In my drilldown panel I want on click of totalOutputRecordsCount it should show these two fileds

nonFinChargeAccounts and finChargeAccounts along with _time (in any format table,column,bar)

I am unable to achieve this:

below is my main panel query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

And this is my drill down panel:

<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

@ITWhisperer  please guide here

Why do you keep repeating what I have already commented on without taking any notice of what I have said and suggested? If you don't understand what I have said, please clarify what it is that you don't understand and I will try to explain it in a different way. My answers are intended to guide you (as you have asked) so that you can learn how to use Splunk more effectively.

@ITWhisperer 

I am not understanding what I need to pass in drill down panel.

OK I'll repeat it

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

@ITWhisperer 

I tried like this . My Main panel query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value$</set>
</drilldown>

And my drill down panel query is this:

<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

@ITWhisperer its still not working for me.