Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- creating drilldown panel based on the selected val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
creating drilldown panel based on the selected value in $click.value$
I want to create a drilldown panel that will run different searches based on the value selected i.e. $click.value$.
search for panel 1 is something like-
my query| top sourcetype
user will click on a sourcetype and then a new panel will come up and i want to give a table with relevant fields based on the selected sourcetype. For example, if the selected sourcetype is firewall, we need to give src dest session_id etc and if the sourcetype is mailbox we need to give sender_email_id receiver_email_id etc.
So, i want to execute table command in my panel 2 based on the sourcetype under consideration.
@somesoni2 @woodcock @gcusello @mayurr98 @rmmiller please help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
<dashboard>
<label>drilldown</label>
<row>
<panel>
<table>
<search>
<query>index=_internal |top sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<drilldown>
<set token="sourcetype">$row.sourcetype$</set>
</drilldown>
</table>
</panel>
</row>
<row depends="$sourcetype$">
<panel>
<table>
<search>
<query>index=_internal sourcetype="$sourcetype$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have to execute different table commands based on the value of the sourcetype, this is just passing sourcetype. I want that if the value of $sourcetype$ is ! then table A runs in panel 2, if sourcetype is B then table B runs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
<dashboard>
<label>drilldown</label>
<row>
<panel>
<table>
<search>
<query>index=_internal |top sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<drilldown>
<condition match="'row.sourcetype' == "mongod"">
<set token="sourcetype">$row.sourcetype$</set>
<set token="table">|table date_hour,date_mday,date_second</set>
</condition>
<condition match="'row.sourcetype' == "splunkd"">
<set token="sourcetype">$row.sourcetype$</set>
<set token="table">|table group,name</set>
</condition>
<condition></condition>
</drilldown>
</table>
</panel>
</row>
<row depends="$sourcetype$">
<panel>
<table>
<search>
<query>index=_internal sourcetype="$sourcetype$" $table$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
