Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

creating drilldown panel based on the selected value in $click.value$

ManishVilla7
Explorer
‎12-04-2019 06:49 PM

I want to create a drilldown panel that will run different searches based on the value selected i.e. $click.value$.

search for panel 1 is something like-
my query| top sourcetype
user will click on a sourcetype and then a new panel will come up and i want to give a table with relevant fields based on the selected sourcetype. For example, if the selected sourcetype is firewall, we need to give src dest session_id etc and if the sourcetype is mailbox we need to give sender_email_id receiver_email_id etc.

So, i want to execute table command in my panel 2 based on the sourcetype under consideration.

@somesoni2 @woodcock @gcusello @mayurr98 @rmmiller please help!!

0 Karma
Reply

vnravikumar
Champion
‎12-04-2019 07:31 PM

Hi

Try this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="sourcetype">$row.sourcetype$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply

ManishVilla7
Explorer
‎12-04-2019 07:56 PM

we have to execute different table commands based on the value of the sourcetype, this is just passing sourcetype. I want that if the value of $sourcetype$ is ! then table A runs in panel 2, if sourcetype is B then table B runs.

0 Karma
Reply

vnravikumar
Champion
‎12-05-2019 01:35 AM

Hi

Check this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="'row.sourcetype' == &quot;mongod&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table date_hour,date_mday,date_second</set>
          </condition>
           <condition match="'row.sourcetype' == &quot;splunkd&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table group,name</set>
          </condition>
          <condition></condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$" $table$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...