Hi
I am a complete noob at all this Splunk stuff.
I have built a search that display results in a table.
What I would like to do is have a left click option to open a new search with only the results of that value in a table format, but not as a raw list like "view events" does.
Hello. The Contextual Drilldown(Inpage) dashboard, of the splunk 6.x dashboard example app can help you. Here is the code:
<form>
<label>In-Page Drilldown with Perma-linking</label>
<fieldset submitButton="false">
<!--
Create an input to store the drilldown value. It will be hidden using custom javascript when
the dashboard is loaded.
-->
<input type="text" token="sourcetype" searchWhenChanged="true" />
</fieldset>
<row>
<table id="master">
<title>Master</title>
<searchString>index=_internal | stats count by sourcetype</searchString>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
<!-- Set the type of of drilldown, since we will always consume the same field, use row-->
<option name="drilldown">row</option>
<drilldown>
<!-- Use set to specify the new token to be created.
Use any token from the page or from the click event to produce the value needed. -->
<set token="sourcetype">$row.sourcetype$</set>
<!-- If we also set the form.sourcetype the input will get updated too -->
<set token="form.sourcetype">$row.sourcetype$</set>
</drilldown>
</table>
</row>
<row>
<!-- depends is the way we tell the content to only show when the token has a value.
Hint: use comma separated values if the element requires more than one token. -->
<chart id="detail" depends="$sourcetype$">
<title>Detail: $sourcetype$</title>
<searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
</form>