Splunk Search

How to create a drilldown for a single value chart to display a timechart panel?

dbcase
Motivator

Hi,

I have a single value chart that shows the count of successful logins for x period of time. I'd like to be able to click on the number and display a timechart panel that shows the login ID and when they logged in. Is this possible?

The existing query I have is:

index=cox sourcetype=wls_managedserver |rex field=message_text "X-login:\s(?< Login >[^\s\:;]+)"|timechart span=1hr count(Login) as "Login Count"

This works just fine. Just having trouble defining a subsequent drilldown on a dashboard

0 Karma
1 Solution

somesoni2
Revered Legend
0 Karma

dbcase
Motivator

Thanks! That gets very close. Since I'm not especially skilled at XML I think I need to modify this line

< option name="linkView" >YourSecondDashboard< /option >

But I don't know what I need to modify it to in order to call an in dashboard, not visible (got this one) panel.

0 Karma

somesoni2
Revered Legend

I think you're looking for an in-page drilldown ( the timechart to be shown on the same dashboard), so try like this

<row>
   <panel>
      <single>
         <title>Single Value Drilldown</title>
         <search>
           <query>index=_internal | stats count</query>
           <earliest>$timerange.earliest$</earliest>
           <latest>$timerange.latest$</latest>
         </search>
         <option name="drilldown">all</option>
         <option name="afterLabel">Click Here</option>
         <option name="underLabel">OR Click Here</option>
         <option name="linkFields">underlabel, afterlabel</option>
         <drilldown>
            <set  token="showtimechart">y</set>
         <drilldown>
       </single>
   </panel>
</row>
<row>
   <panel depends="$showtimechart$">
      <chart>
         <title>Single Value Drilldown</title>
         <search>
           <query>Your timechart search</query>
           <earliest>$timerange.earliest$</earliest>
           <latest>$timerange.latest$</latest>
         </search>
         ----other options----
       </chart >
   </panel>
</row>

dbcase
Motivator

Thanks somesoni2!

Worked great!!!! Had to add < /drilldown> but other than that it did exactly what was needed! Thank you!!!

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I recommend you download the Splunk 6.x Dashboard examples app and take a look at the single value drilldown example in there. That should get you where you want to go.

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...