Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Panel cell clicking not working with cell e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Panel cell clicking not working with cell enabled on drilldown
Good Evening All,
I am looking for a solution to a splunk panel when I try to click on any cell value it should open events related to
that cell value, instead its opening all event values. settings on drill down click is set to cell. Please suggest any workable solution for problem.
Question:
index= xxx | eval code = some condition | eval Res = some condition | Stats count(eval(Res='success')) As Success count(eval(Res='failure')) As Failures by name | sort by count desc . the below 5 columns are pulled with some row entries.(settings on drilldown is cell enabled but still cant achieve the required solution)
name code. success failures count
xxxx 1234 50 60 110
yyyy 4312 70 80 150
zzzz 5678 80 50 130
as mentioned above when clicked on cell 50 at row1, it should retrieve only 50 success events, similarly when clicked at 50 at row3, it should retrieve only 50 failures events.
Thanks in Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @REACHGPRAVEEN,
You can use predefined tokens $click.name2$ to get fieldname and $row.<fieldname>$ to get any field (column) value from the clicked table row. Try this.
<form>
<label>MyDashboard01</label>
<row>
<panel>
<title>Table</title>
<table>
<search>
<query>| makeresults
| eval _raw="name,code,success,failures,count
xxxx,1234,50,60,110
yyyy,4312,70,80,150
zzzz,5678,80, 50,130"
| multikv forceheader=1
| table name,code,success,failures,count</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
<drilldown>
<set token="code">$row.code$</set>
<set token="result">$click.name2$</set>
</drilldown>
</table>
</panel>
</row>
<row depends="$code$">
<panel>
<title>Token Usage</title>
<table>
<search>
<query>| makeresults
| eval message="filter events on code=$code$ and Res=$result$"
| table message</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
If this reply helps you, a like would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
