- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Drill down Single Value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to drill down a single value.
I have a single value named High Risk and I created a table now I want to drill down.. If I click the High risk single value the table have to open.
How to do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you require drilldown to a new dashboard with table when Single Value is clicked. Were you able to get Splunk 6.x Dashboard Examples app? It has examples for most of the concepts required for Simple XML, JS and CSS Extensions, including drilldown event handler.
Following is a run anywhere search. You need to understand Search Event Handler <progress> (for Splunk 6.5 and above), which is used here to pass on the Single Value result (in my case count. You should also read about link input in Splunk which allows you to provide internal or external URLs/Links. Most important, refer to the the link here for Splunk Documentation on drilldown event handler: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown
<single>
<search>
<query>index=_internal sourcetype=splunkd log_level=ERROR
| stats count</query>
<progress>
<set token="queryString">$result.count$</set>
</progress>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">all</option>
<drilldown>
<link target="_blank">https://answers.splunk.com/search.html?q=$queryString$</link>
</drilldown>
</single>
PS: Search Event Handler for 6.4 or previous version will be Preview instead of Progress.
For custom link within Splunk instance fully qualified path might not be required. Refer to documentation or Splunk 6.x Dashboard Examples.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you require drilldown to a new dashboard with table when Single Value is clicked. Were you able to get Splunk 6.x Dashboard Examples app? It has examples for most of the concepts required for Simple XML, JS and CSS Extensions, including drilldown event handler.
Following is a run anywhere search. You need to understand Search Event Handler <progress> (for Splunk 6.5 and above), which is used here to pass on the Single Value result (in my case count. You should also read about link input in Splunk which allows you to provide internal or external URLs/Links. Most important, refer to the the link here for Splunk Documentation on drilldown event handler: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown
<single>
<search>
<query>index=_internal sourcetype=splunkd log_level=ERROR
| stats count</query>
<progress>
<set token="queryString">$result.count$</set>
</progress>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">all</option>
<drilldown>
<link target="_blank">https://answers.splunk.com/search.html?q=$queryString$</link>
</drilldown>
</single>
PS: Search Event Handler for 6.4 or previous version will be Preview instead of Progress.
For custom link within Splunk instance fully qualified path might not be required. Refer to documentation or Splunk 6.x Dashboard Examples.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to display the table when Single Value is clicked or Do you have a token that you need to pass on to the table from Single Value?
For the first piece refer to Null Search Swapper example in the Splunk 6.x Dashboard Examples App, for understanding the use of depends and rejects to hide/show a dashboard content based on whether the token is set or unset. For the Drilldown you can either refer to Drilldown Single Value example or any other Drilldown example (like Contextual Drilldown(In-Page) which explains coding of Drilldown event handler and pass on the token which you require.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me what are the changes I have to make and where the table dashboard link have to paste? for drill down single value
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">all</option>
<option name="rangeColors">["0x555","0xd93f3c"]</option>
<option name="rangeValues">[0]</option>
<option name="underLabel">High risk</option>
<option name="unit">K</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">0</option>
</single>
</panel>
<panel>
<single>
<search>
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
