Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Search different results with token
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a query like this:
index=.... hostname=*
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as "field1" sum(field2) as "field2" by hostname
The result is a column chart in which I have 2 columns for each hostname that represent the count of filed1 and field2. If I click on a bar (for example filed1 for an hostname), I want to open another custom dashboard that shows other details like ip,.... But in this second dashboard I don't have only the results for field1, but also filed2. I know I need a token to filter the result, but I don't know how. Can anyone help me?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run anywhere example:
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd | eval field1=if(group="tcpin_connections",1,0) | eval field2=if(group="tcpout_connections",1,0) | stats sum(field1) as tcpin_connections sum(field2) as tcpout_connections by log_level</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="showcounts">true</set>
<set token="showloglevel">$click.value$</set>
<set token="showgroup">$click.name2$</set>
</drilldown>
</chart>
</panel>
<panel depends="$showcounts$">
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level=$showloglevel$ group=$showgroup$ | stats count by component</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>For your case, you could change the first query to
<query>index=.... hostname=*
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as y sum(field2) as z by hostname</query>with perhaps tokens showhost and showx
and the second query to
<query>index=.... hostname=$showhost$ x=$showx$ ...</query>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@marco_massari11 , I'm not sure if I got the question completely correct.
But in case, you require only the results of the bar you clicked on, then you can retrieve the name of the field using :
<set token="clicked_field">$click.name2$</set>and use the token $clicked_field$ to filter results in the query of the other dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@t_shreya Yes, I set by drilldown tab on the first dashboard a token named "method"=$click.name2$, and the query of the first dashboard is like this:
index=.. hostname=$site$ (service=success or service=failure)
| eval site=substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4)
| eval field1=if(service="x",1,0)
| eval field2=if(service="y",1,0)
| stats sum(field1) as "option1" sum(field2) as "option2" by site
The result is a column chart in which I have 2 columns (count of field 1 and count for field2) for a single site
In the second dashboard I have a query like this:
index=..... hostname=....
| eval site=substr(DeviceName,1,7) + substr(DeviceName, -4)
| search site=$group$
| search service="$method$"
| table .......
Probably my mistake is in the stats beacuse in the title I put the token for the count ant it's correct
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of field1 and field2, can you name your fields y and z, that way you may be able to use the field name of the bar that is clicked to modify the search in the drilldown panel. Alternatively, will counting by x and hostname help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand your first option, can you explain it better? The second option can work but I don't want to show the hostname two times in the column chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run anywhere example:
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd | eval field1=if(group="tcpin_connections",1,0) | eval field2=if(group="tcpout_connections",1,0) | stats sum(field1) as tcpin_connections sum(field2) as tcpout_connections by log_level</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="showcounts">true</set>
<set token="showloglevel">$click.value$</set>
<set token="showgroup">$click.name2$</set>
</drilldown>
</chart>
</panel>
<panel depends="$showcounts$">
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level=$showloglevel$ group=$showgroup$ | stats count by component</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>For your case, you could change the first query to
<query>index=.... hostname=*
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as y sum(field2) as z by hostname</query>with perhaps tokens showhost and showx
and the second query to
<query>index=.... hostname=$showhost$ x=$showx$ ...</query>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think it's not working beacause I still have more result in the second query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what you mean by that. Can you show your SimpleXML for your dashboard panels?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
