Splunk Search

How do I specify a drilldown to show only the results of the value I clicked on in a table format?

jhuysing
Explorer

Hi

I am a complete noob at all this Splunk stuff.

I have built a search that display results in a table.
What I would like to do is have a left click option to open a new search with only the results of that value in a table format, but not as a raw list like "view events" does.

0 Karma

stephanefotso
Motivator

Hello. The Contextual Drilldown(Inpage) dashboard, of the splunk 6.x dashboard example app can help you. Here is the code:

<form>
    <label>In-Page Drilldown with Perma-linking</label>
    <fieldset submitButton="false">
        <!--
            Create an input to store the drilldown value. It will be hidden using custom javascript when
            the dashboard is loaded.
         -->
        <input type="text" token="sourcetype" searchWhenChanged="true" />
    </fieldset>
    <row>
        <table id="master">
            <title>Master</title>
            <searchString>index=_internal | stats count by sourcetype</searchString>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
            <!-- Set the type of of drilldown, since we will always consume the same field, use row-->
            <option name="drilldown">row</option>
            <drilldown>
                <!-- Use set to specify the new token to be created.
                     Use any token from the page or from the click event to produce the value needed. -->
                <set token="sourcetype">$row.sourcetype$</set>
                <!-- If we also set the form.sourcetype the input will get updated too -->
                <set token="form.sourcetype">$row.sourcetype$</set>
            </drilldown>
        </table>
    </row>
    <row>
        <!-- depends is the way we tell the content to only show when the token has a value.
             Hint: use comma separated values if the element requires more than one token. -->
        <chart id="detail" depends="$sourcetype$">
            <title>Detail: $sourcetype$</title>
            <searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
        </chart>
    </row>
</form>
SGF
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...