Splunk Search

Help! How to create a drilldown table.

Hi All,

Could you help me on creating a drilldown table that will list all the ticket number based on the value of the resolution profile in another table.
Please see below my search query.
serach query...| stats count by uresolutionprofiles | sort -count | rename count as "Number" uresolutionprofiles as "Resolution Profile"

Table view that is from my stats command:
Resolution Profile | Number
User Maintenance | 100

Thanks in advance

0 Karma

Re: Help! How to create a drilldown table.


@NicoloPunzalan24, you can check out Splunk Dashboard Examples app which contains a lot of different types of drilldown possible in Splunk.

From Splunk Enterprise 6.6 onward, Drilldown can be customized directly from UI. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Also refer to documentation for default tokens available in table drilldown: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#table_.28event_tokens.2...

Following is a run anywhere dashboard similar to your question to mock the drilldown from source table to destination. Additionally depends attribute has been used to hide the table until a row from first table is clicked.

  <label>Drilldown from one table to another</label>
        <title>Main Table (Click Row to Drilldown)</title>
          <query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| stats count as "Number" by component
| sort - Number
| rename component as "Resolution Profile"</query>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
          <set token="tokResolutionProfile">$row.Resolution Profile$</set>
      <table depends="$tokResolutionProfile$">
        <title>Drilldown Table</title>
          <query>| makeresults
            | fields - _time 
            | eval "Resolution Profile"="$tokResolutionProfile$"

| eval message="Happy Splunking!!!"

View solution in original post

0 Karma