I have a simple view which outputs a table with 4 fields in a row which are grouped.
This is an example of the output
AppName Servers Status App1 Server1 OK App1 Server2 NotOK
If I click the second result in this view to see the events that are in status NotOK for App1 and Server2, than all Servers from App1 with all Statis where displayed. Is there a possibility to show only the events which are in Status NotOK for Server2 and App1 ?
Thanks for your hints
Thanks for your answer.
It doesn't work correctly, because If I go to the line in the table on the second field it highlights the first two fields. If I would like to include the third field in the drilldown too and go on the third field in the row, then only the first and the third field is highlighted and the subsearch include only the first and the third field but not the second field.
Here the view xml file
<form> <label>App - Overview</label> <searchTemplate>index="app" sourcetype="app_status" $Arg1$ | stats count by app_name, app_server, app_status</searchTemplate> <fieldset autoRun="false"> <input type="text" token="Arg1"> <label>Choose how many hours ago it should display</label> <prefix>starthoursago="</prefix> <default>12</default> <suffix>"</suffix> <seed>12</seed> </input> </fieldset> <row> <table> <title>App Overview</title> <option name="count">100</option> <option name="drilldown">all</option> </table> </row> </form>
Did you have any hint why this happens ?
This is controlled by what drilldown type is defined for your table. By default drilldown is based on row, which means Splunk takes the first value of the row you're clicking on and drills down based on that. The other option is to have drilldown on cell, which means the value of the specific cell you're clicking on is used instead. To change the drilldown type, either use the Visual Dashboard Editor and edit the panel in question, or edit the XML yourself. If you go for the latter, what you want is to put the following option inside the