Solved: <drilldown> not allowed here

gerbert · ‎03-27-2021

Hello,

I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token.
However I get the error "<drilldown> not allowed here" in line 13. I use exactly the same syntax as in the example of the splunk documentary (https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/tokens under the section "Troubleshoot job property access").
Is there some kind of typo I'm not seeing?

<dashboard>
<label>Title</label>
<search>
<query>
index=somesearch| rename testresult AS XX
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="testtoken">$result.XX$</set>
</done>
</search>
<drilldown>
<condition match="1==1">
<set token="test1">X1</set>
<unset token="test2"></unset>
<unset token="test3"></unset>
</condition>
<condition match="testtoken==2">
<unset token="test1"></unset>
<set token="test2">X2</set>
<unset token="test3"></unset>
</drilldown>
[...]
<dashboard>

Help would be greatly appreciated.

ITWhisperer · ‎03-27-2021

It looks like the search is not associated with a panel so there would be no visualisation to drilldown from

View solution in original post

ITWhisperer · ‎03-27-2021

It looks like the search is not associated with a panel so there would be no visualisation to drilldown from

gerbert · ‎03-27-2021

Thanks!

So in case someone in the future has the same problem. You need to enclose the above code in something like this:

  <row>
    <panel depends="$alwaysHideCSS$">
      <single>
        <search>
           [...]
        </search>
        <drilldown>
           [...]
        </drilldown>
      </single>
    </panel>
  </row>

<drilldown> not allowed here

other

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Enterprise Security Content Update (ESCU) | New Releases