Dashboards & Visualizations

Why are Values for 2nd panel not coming from 1st panel?


Hi Team,

I have created two panels

My first panel details are:

<![CDATA[index=abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$
|rex field=_raw "operation:(?P<Operation>.*), serviceResponseStatus"
|rex field=_raw "caller:(?P<Caller>.*) =" |rex field=_raw "serviceResponseTime\(ms\)=(?P<Response_Time>.*)"
| eventstats count by Caller|rename Caller as "GRS Caller"
|lookup ApplicationRef.csv GRSCaller as "GRS Caller" OUTPUT DisplayName
|rename "GRS Caller" as "GRSCaller"
|eval CallerName=If(isnull(DisplayName),GRSCaller,DisplayName)
| table CallerName Operation Response_Time serviceResponseStatus date|rename CallerName as "GRS Caller"
| rename date as "Date" | rename serviceResponseStatus as "Response_Status"|sort - Date]]>

<set token="show_panel1">true</set>
<set token="selected_value">$click.value$</set>


From this I am getting details as below:

GRS Caller   Operation   ResponseTime   Status         Date

OneForce     ls                       286 ms                   Success    2022-06-27
OneForce     dmrupload      381 ms                    Failure   2022-06-27


I want when I click on 1st row the detailed description of 1st row should come.

Can someone guide me what query I can make for 2nd panel extraction

Currently I have make this but its not working


<panel depends="$show_panel1$">
<title>Caller Details1</title>
<query>abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$ $selected_value$ </query>
<option name="count">100</option>


Labels (3)
0 Karma


Where does your 'detailed description' come from and what would be the search that finds this - you are just using the token $selected_value$

$click.value$ will not be useful for the drilldown - your drilldown setting should be "row" and the tokens set should be

  <set token="show_panel1">true</set>
  <set token="selected_caller">$row.GRS Caller$</set>
  <set token="selected_op">$row.Operation$</set>
  <set token="selected_rt">$row.ResponseTime$</set>
  <set token="selected_tatus">$row.Status$</set>
  <set token="selected_date">$row.Date$</set>
  <set token="selected_XXX">$row.other_field1...$</set>

However, you are doing lots of other stuff in your original search which means the clicked row will not be useful for the search, e.g. you extract Operation via a rex statement.

It would be better to just 'save' all the fields you want from the first search and then display them with a simple query in the second panel.

i.e. collect ALL the fields you want into the table statement in the first search. Then add

<fields>"GRS Caller","Operation"."Response_Time","Response_Status","Date"

in the XML to restrict what fields are shown

in the second panel just make the query do something like

| makeresults
| eval GRS_Caller=$selected_caller$
| eval Operation=$selected_op$
... other eval statements to assign fields from tokens
| table your_wanted_fields
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...