Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk dashboard clickable table output

vadlamudi
Explorer
‎10-13-2021 11:47 AM

Hi There,

 

I have two queries [Query 1  and Query 2].  what i am planning to achieve is that when user clicks on the server_ID for tabular output of Query 1, then it should be passed as INPUT to the WHERE clause in Query 2  . Any help would be appreciated.

 

 

Query 1:

index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID

 

Query 1 Output:

server_ID

49552473-567
d5eedf55-dca
5d4bb774-74a
03f03042-1f7

 

Query 2:

 

index=<< index_name>>   "Exception" | where  server_ID= "server_ID from Query1 table"

 

 

Thank You

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 12:01 PM

There's a pretty good example of that in the Dashboards and Visualizations manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ContextualDrilldown#Manage_and_respond_to_tok...

The concept is the first query has a <drilldown> element that sets a token value to the clicked cell.  The second query references that token.  The second query won't run until the token is assigned a value (when the user clicks on the table).

<query>index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID</query>
<drilldown>
  <set token="server_ID">$row.server_ID$</set>
</drilldown>
index=<< index_name>>   "Exception" | where  server_ID= $server_ID$

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

vadlamudi
Explorer
‎10-13-2021 12:18 PM

HI @richgalloway   I am facing with below error when i tried the above solution that you provided.

 

ERROR: Node drilldown is not allowed here

 

Thank You

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 01:01 PM

Why did you accept the answer if it doesn't work?

The dashboard code in the answer is not complete.  The snippets provided need to be inserted into the proper places in your XML.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 12:01 PM

There's a pretty good example of that in the Dashboards and Visualizations manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ContextualDrilldown#Manage_and_respond_to_tok...

The concept is the first query has a <drilldown> element that sets a token value to the clicked cell.  The second query references that token.  The second query won't run until the token is assigned a value (when the user clicks on the table).

<query>index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID</query>
<drilldown>
  <set token="server_ID">$row.server_ID$</set>
</drilldown>
index=<< index_name>>   "Exception" | where  server_ID= $server_ID$

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-13-2021 11:57 AM

This link should get you started.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ContextualDrilldown

Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...