Hi,
I am trying the drill down feature in splunk. It uses a static query to get the sourcetype and then we can drill-down based on the sourcetype selected from the results.
Is it possible to use a dynamic query - For example in the text field at the top user can enter a metric, say clientip. Then i would get the count by clientip in the master and when i drill down, it would get detailed metrics. In this way i am not restricting only to sourcetype but i can enter clientip, useragent or any other metric based on the count.
I am using the below code but drill down is not working..any suggestions please...
<label>In-Page Drilldown with Perma-linking</label>
<!--
Enter a metric to drill down
-->
<input type="text" token="metric" searchWhenChanged="true" />
<fieldset submitButton="false">
<!--
Create an input to store the drilldown value. It will be hidden using custom javascript when
the dashboard is loaded.
-->
<input type="text" token="value" searchWhenChanged="true" />
</fieldset>
<row>
<table id="master">
<title>Master</title>
<searchString>sourcetype=access_combined_wcookie host=pr*| stats count by $metric$</searchString>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
<!-- Set the type of of drilldown, since we will always consume the same field, use row-->
<option name="drilldown">row</option>
<drilldown>
<!-- Use set to specify the new token to be created.
Use any token from the page or from the click event to produce the value needed. -->
<set token="value">$row.metric$</set>
<!-- If we also set the form.sourcetype the input will get updated too -->
<set token="form.value">$row.metric$</set>
</drilldown>
</table>
</row>
<row>
<!-- depends is the way we tell the content to only show when the token has a value.
Hint: use comma separated values if the element requires more than one token. -->
<chart id="detail" depends="$value$">
<title>Detail: $value$</title>
<searchTemplate>sourcetype=access_combined_wcookie host=pr* $value$=$value.row$| timechart count</searchTemplate>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
... View more