Solved: Re: Automatically Viewing Visualization in Search

TylerJVitale · ‎06-18-2019

I'm linking a click value token in a dashboard to a search. Is there a way to format the drilldown search string so that the visualization is shown automatically, or would I have to link to a dashboard instead of a search?

DavidHourani · ‎06-18-2019

Hi @TylerJVitale,

Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content

You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.

Here's an example on how this is done :

<dashboard>
  <row>
    <panel>
      <table>
        <title>Event counts by sourcetype</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="selected_value">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel depends="$show_panel$">
      <event>
        <title>Recent events for $selected_value$</title>
        <search>
          <query>index=_internal sourcetype=$selected_value$ </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
</dashboard>

Let me know if this helps you.

Cheers,
David

View solution in original post

DavidHourani · ‎06-18-2019

Hi @TylerJVitale,

Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content

You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.

Here's an example on how this is done :

<dashboard>
  <row>
    <panel>
      <table>
        <title>Event counts by sourcetype</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="selected_value">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel depends="$show_panel$">
      <event>
        <title>Recent events for $selected_value$</title>
        <search>
          <query>index=_internal sourcetype=$selected_value$ </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
</dashboard>

Let me know if this helps you.

Cheers,
David

Vijeta · ‎06-18-2019

@TylerJVitale you can link to a panel, when the token is set on clicking the panel with visualization will show up. the panel should be dependent on your token, <panel depends="$tokenname$">

Automatically Viewing Visualization in Search

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Automatically Viewing Visualization in Search

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases