Splunk Search

How to get drilldown to work when having totals or formatting numbers


In the following abbreviated search, is there anyway to have drilldown work properly when using an addtotals or when trying to format numbers with an eval command after the search. I can't seem to get rid of errors such as the following:

PARSER: Applying intentions failed Drilldown error: unable to drill down from 'stats count as NbrReports by User '

searchstuff......|eval User = UserName." --- ".UserId
| stats count as NbrReports by User
| addtotals fieldname=NbrReports col=true row=false


searchstuff...... |eval User = UserName." --- ".UserId
| convert mstime(TotalReportRunTime) AS nbrSeconds
| stats count as NbrReports, avg(nbrSeconds) as AvgRunTime by User
| eval AvgRunTime = strftime(AvgRunTime, "%M:%S.%3N")

The user wants to be able to click on the User field which is a link. And of course the system adds the | search User="xxxxxx --- xx1234" to the end of the text (for the new search caused by the drilldown), after the addtotals or after the eval which apparently breaks the syntax for the parser.


There are a few things that you can do, though some of them probably won't work in your specific case:

  • With the dashboard editor, you can often control the drilldown for a panel to make it work. On a table, you can choose row, cell or off.
  • Use the fieldformat command instead of eval when formatting numeric fields for display. fieldformat changes only the visual representation, not the underlying value, so drilldowns will still work
  • Using Advanced XML for a dashboard, you can specifically control the drilldown and how it works, including opening a different view than the usual search results.

The easiest choice for you is to simply turn off the drilldown. The best choice is probably to use Advanced XML, but that is a bit of work and it may not be worth your while. Look here in the Developing... manual for more information.

Finally, you could separate the fields, which would change your search to

searchstuff...... |
| convert mstime(TotalReportRunTime) AS nbrSeconds 
| stats count as NbrReports, avg(nbrSeconds) as AvgRunTime by UserName UserId
| fieldformat AvgRunTime = strftime(AvgRunTime, "%M:%S.%3N")

I can't think of anything else that would help, but maybe someone else will have an idea...

0 Karma


@lguinn, I'm using an Advanced XML dashboard with row drilldown and I also see this problem. What exactly is the advanced XML workaround? For my particular table it doesn't make sense to use cell drilldown.

0 Karma


Yes, if you want more control of the visualization, you need to put the report in a dashboard. Then you can change the table parameters.

There is no other way to tell Splunk explicitly how to do the drilldown. You could put in an enhancement request by submitting a ticket at https://www.splunk.com/index.php/submit_issue

0 Karma


I shouldn't have said "leading pipe character" since the user clicked on a concatenated field, but I think it could algorithmically be done so that it would both parse correctly and display appropriate results.

0 Karma


Unfortunately the fieldformat command causes the exact same problem as the eval command, namely:

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'fieldformat' command

and no results appear in the popped up window.

Also, I'm using the default Search app, so I guess I shouldn't modify the table parameters.

It seems to me that it would be simple (and desirable) for the system to add the clicked-on search term before the leading pipe character in the main search. Then everything would work as expected. (at least expected by me.)

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...