Splunk Search

Automatically Viewing Visualization in Search

TylerJVitale
Explorer

I'm linking a click value token in a dashboard to a search. Is there a way to format the drilldown search string so that the visualization is shown automatically, or would I have to link to a dashboard instead of a search?

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @TylerJVitale,

Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content

You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.

Here's an example on how this is done :

<dashboard>
  <row>
    <panel>
      <table>
        <title>Event counts by sourcetype</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="selected_value">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel depends="$show_panel$">
      <event>
        <title>Recent events for $selected_value$</title>
        <search>
          <query>index=_internal sourcetype=$selected_value$ </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
</dashboard>

Let me know if this helps you.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @TylerJVitale,

Check out this section of the documentation on tokens :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/ContextualDrilldown#Show_or_hide_content

You can use rejects and depends to control when you want a panel in a dashboard to be hidden or revealed based on weather a token is set or unset. You can also apply conditions and only display panels based on those conditions. It's a good read.

Here's an example on how this is done :

<dashboard>
  <row>
    <panel>
      <table>
        <title>Event counts by sourcetype</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="selected_value">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel depends="$show_panel$">
      <event>
        <title>Recent events for $selected_value$</title>
        <search>
          <query>index=_internal sourcetype=$selected_value$ </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
</dashboard>

Let me know if this helps you.

Cheers,
David

0 Karma

Vijeta
Influencer

@TylerJVitale you can link to a panel, when the token is set on clicking the panel with visualization will show up. the panel should be dependent on your token, <panel depends="$tokenname$">

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...