Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

<drilldown> not allowed here

gerbert
Path Finder
‎03-27-2021 01:07 AM

Hello,

I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token.
However I get the error "<drilldown> not allowed here" in line 13. I use exactly the same syntax as in the example of the splunk documentary (https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/tokens under the section "Troubleshoot job property access").
Is there some kind of typo I'm not seeing?

 

<dashboard>
<label>Title</label>
<search>
<query>
index=somesearch| rename testresult AS XX
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="testtoken">$result.XX$</set>
</done>
</search>
<drilldown>
<condition match="1==1">
<set token="test1">X1</set>
<unset token="test2"></unset>
<unset token="test3"></unset>
</condition>
<condition match="testtoken==2">
<unset token="test1"></unset>
<set token="test2">X2</set>
<unset token="test3"></unset>
</drilldown>
[...]
<dashboard>

 

 
Help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-27-2021 02:13 AM

It looks like the search is not associated with a panel so there would be no visualisation to drilldown from

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-27-2021 02:13 AM

It looks like the search is not associated with a panel so there would be no visualisation to drilldown from

0 Karma
Reply
Solved! Jump to solution

gerbert
Path Finder
‎03-27-2021 03:24 AM

Thanks!

So in case someone in the future has the same problem. You need to enclose the above code in something like this:

  <row>
    <panel depends="$alwaysHideCSS$">
      <single>
        <search>
           [...]
        </search>
        <drilldown>
           [...]
        </drilldown>
      </single>
    </panel>
  </row>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...