Dashboards and Visualizations

 


Dynamic drilldown in dashboards and forms

Dynamic drilldown in dashboards and forms

Using dynamic drilldown, you can define custom destinations to link to when a user clicks on fields in a dashboard or form. The value captured by the click is passed to the destination. The destination can be another dashboard, form, or view within your Splunk Enterprise installation. The destination can also be an external web page.

Note: Splunk Enterpise provides basic drilldown capability out of the box. For more information about how this core drilldown functionality works, see Drilldown behavior in this manual. The Drilldown behavior topic also provides conceptual details and examples of dynamic drilldown.

For example, the following dashboard lists source type throughput as a table. Subsequent figures shows the results of dynamic drilldown for clicking the selected cell, "splunk_web_service."

DynamicDrilldown.png



You can define destinations that open another form, passing in the source type clicked. This is the result of clicking splunk_web_service in the above dashboard.

LandingPageDynamicDrilldown.png



You can also pass the value of what is clicked to a web page, such as Splunk Answers.

Viz DrilldownTargetWebPage.png



Dynamic drilldown basics

To implement dynamic drilldown use <drilldown> tags.
Place the <drilldown> tags within a table or chart.

Within the <drilldown> tag, optionally specify a target="[attribute]" to direct the drilldown destination. This attribute defaults to target="_self", which opens the link in the current window.

Between the <drilldown> tags, add one or more <link> tags. Use the <link> tag to specify a destination for the drilldown. For example:

<dashboard>
  <row>
    <panel> 
      <table>

      <title>Sourcetypes by source (Dynamic drilldown to a form)</title>
      <searchString>
        index="_internal" | stats dc(sourcetype) by sourcetype, source
      </searchString>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>

      <drilldown target="My New Window">
       <link>
          /app/dashboard_examples/form_table2?form.sourcetype=$row.sourcetype$
        </link>
      </drilldown>   

      </table>
    </panel>
  </row>
</dashboard>

Specify destinations

Here is the syntax for specifying links:

<drilldown>

  <link>...</link>
  <link>...</link>
   . . .
  <link>...</link>

</drilldown>


There are various ways to specify a destination with the <link> tag. Here is the syntax for specifying a destination in a variety of scenarios:

1. Use a relative path to connect to a dashboard.
2. Use a relative path to connect to a form, passing in a token to populate the form.
3. Pass in the earliest and latest time range from the original search.
    (Requires use of CDATA, as indicated in the following sections.)
4. Use a URL and query argument to pass a value to the destination page

1) <link> path/viewname </link>
2) <link> path/viewname?form.token=$dest_value$ </link>
3) <link> path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$ </link>
4) <link> URL?q=$dest_value$ </link>

Capture values

There are various ways to capture a value from a dashboard or form and pass the value to the destination.

Use the field or series attribute to the <link> element to specify which values to capture. For tables, use the field attribute to capture the values from the specified column or row. For charts, use the series attribute to capture the values from the specified series.

For example, if your dashboard has a table with columns A, B, and C, consider the following examples:

1. Capture the value from a click in Column A and open a form with the captured value. Clicks in either Column A or Column B use default drilldown behavior.

<link field="A"> path/viewname?form.token=$dest_value$ </link>

2. Same behavior as 1 above, except a click in Column B passes the value as a query argument to a web page.

<link field="A"> path/viewname?form.token=$dest_value$ </link>
<link field="B"> URL?q=$dest_value$ </link>

Syntax for specifying destinations

The syntax for specifying destinations varies, depending on the type of chart you are using and the destination you choose. Refer to the entries for <drilldown> element and <link> element in the Simple XML Reference.

Dynamic drilldown examples

This section provides examples of creating a dynamic drilldown in dashboards or forms. Most of the searches access data available from the Search Tutorial. If you want to download the data from the Search Tutorial to create the dashboards from these examples, see Get the tutorial data into Splunk Enterprise.

Destination form

These examples assume that you have created the following form relative to the default Splunk search app. This form is the destination form in the examples.

FormSearchDrillDown: /app/search/FormsSearchDrillDown

<form>
  <label>Form search drilldown destination</label>
  
  <!-- define master search template, with replacement tokens delimited with $ -->
  <searchTemplate>sourcetype="$sourcetype$" | head 1000</searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>

  <html>
    Enter a sourcetype in the field below do display the most recent 1000 events
    from the metrics log concerning that sourcetype.
  </html>
  <fieldset>
      <!-- the default is a text box, with no seed value; if user does not input
          a value, then the $sourcetype$ token in searchTemplate will be removed -->
      <input token="sourcetype" />
  </fieldset>
  
  <row>
    <panel>
      <!-- output the results as a 50 row events table -->
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
  
</form>

Dashboard linking to a Splunk form

This examples illustrates how to use a dashboard to implement drilldown from a table to a Splunk form.

The key to how this example works is in the <link> tag. The tag specifies the following:

  • Path to the target form, FormSearchDrillDown
  • The token to use in the target form, sourcetype
  • Pass the value of the processor field from the row selected to the destination form. In this dashboard, no matter where you click on a row, the value for processor in that row is grabbed.
  • Pass the earliest and latest times for the search to the target view.

Note: Use the CDATA section to ensure the '&' character is interpreted correctly.

<link>
<![CDATA[
  /app/search/FormsSearchDrillDown?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
]]>
</link>


Here is the complete dashboard code:

Dashboard example that links to a Splunk form

<dashboard>
 <label>Dashboard with dynamic drilldown to a Splunk form</label>
  <row>

    <table>
      <searchString>
         index="_internal" group="per_sourcetype_thruput" |
         chart sum(kbps) over series
      </searchString>
      <title>Top sourcetypes (drilldown example)</title>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
      
     <drilldown>
       <link>
       <![CDATA[
  /app/search/FormsSearchDrillDown?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
       ]]>
       </link>
     </drilldown>      
    </table>

  </row>
</dashboard>

Form linking to Splunk Answers website

This examples illustrates how to use a form to implement drilldown from a chart to an external website.

The key to how this example works is in the <link> tag. The tag specifies the following:

  • The complete URL to Splunk Answers
  • Uses $click.value$ to grab the value from the X-axis, and pass it as a query parameter to Splunk Answers
<link>
  http://splunk-base.splunk.com/integrated_search/?q=$click.value$
</link>


Here is the complete code for the form:

Splunk form that uses dynamic drilldown to link to an external website

<form>
  <label>Form Search (Beta)</label>
  
  <!-- define master search template, with replacement token delimited with $ -->
  <searchTemplate>
     index="_internal" group="per_sourcetype_thruput" series=$sourcetype$ 
     | chart sum(kbps) over series
   </searchTemplate>

  <fieldset>
     <!-- Use the html tag to specify text to display -->
     <html>
       <p>Enter a sourcetype in the field below. This view returns the most recent 1000 events for that sourcetype.</p>
       <p>In the Matching Events, click in the series column to open the value clicked in a new form</p>
     </html>

     <!-- The default input is a text box, with no seed value -->
     <input token="sourcetype" />
    
     <!-- Include a time picker -->
     <input type="time">
        <default>Last 30 days</default>
      </input>
  </fieldset>
  
  <row>
    <panel>
      <!-- output the results as a 50 row events table -->
      <table>
         <title>Matching events</title>
         <option name="count">50</option>
        
         <!-- $click.value$ captures the value clicked by the user -->
         <!-- and passes it to the website as a query parameter        -->
         <drilldown>          
           <link>
              http://splunk-base.splunk.com/integrated_search/?q=$click.value$
           </link>
         </drilldown>
       </table>
    </panel>
  </row>
  
</form>

Dashboard linking to a multivalue field

If you have a dashboard that displays multivalue fields, you can specify a drilldown location specific to the value clicked. Multivalue fields are fields that appear multiple times in an event and have a different value for each appearance. See Configure multivalue fields for more information on multivalue fields.

Typically with values for a table, you specify $click.name$ or $click.name2$ to capture the value for drilldown from a column or row. However, for multivalue fields, use $click.value2$ to capture the selected value for drilldown. Additionally, the <link> tag uses the field attribute to limit the selection in the column to the multivalue field.

For example, here is how you capture the clicked value for the badges multivalue field in a dashboard. In this dashboard, badges represent user checkins to a FourSquare event during the Splunk 2012 Users Conference.

<link field="badges">

 /app/foursquare_vegas/vegas_badge_1?form.badge=$click.value2$

</link>

  • field:
    Limit the selection to this field
  • /app/foursquare_vegas/vegas_badge_1
    Target form for the drilldown action
  • form.badge:
    Token to use in the target form for the clicked value


Below is the complete source code for this dashboard. The dashboard also has two other drilldown links, plus implements sparklines (see "Add sparklines to search results" in the Search Manual).

Multivalue field drilldown is called out in the code.

<!-- Dashboard enabling drilldown for a multivalue field -->

<dashboard>
  <label>Demo: drilldown</label>
  <row>
    <panel>
    <table>
      <searchString>
        index=foursquare checkin.primarycategory.nodename=*
        | spath output=venue path=checkin.venue.name
        | spath output=badges path=checkin.badges{}.name
        | eval link="Yelp Search"
        | stats count as checkins sparkline values(badges)
              as "badges" values(link) as "links" by venue
        | sort -checkins
      </searchString>
      
      <format field="sparkline" type="sparkline">
        <option name="type">bar</option>
        <option name="height">30</option>
        <option name="barColor">green</option>
        <option name="colorMap">
          <option name="5:9">yellow</option>
          <option name="10:">red</option>
        </option>
      </format>
      <title>Top Venues</title>
      <drilldown>
        
        <!-- Mulitvalue field drilldown -->
        <link field="badges">
         /app/foursquare_vegas/vegas_badge_1?form.badge=$click.value2$
        </link>
        
        <link field="venue">
          /app/foursquare_vegas/vegas_venue_1?form.venue=$row.venue$
        </link>
        <link field="links">
          http://www.yelp.com/search?find_desc=$row.venue$&find_loc=Las+Vegas,+NV
        </link>
      </drilldown>
      
    </table>
    </panel
  </row>  
</dashboard>


Here is the actual dashboard, which was demoed at the 2012 Splunk Users Conference. This dashboard displays in Splunk 5, but the principles behind the dynamic drilldown apply to Splunk 6:

5.0-dynamic drilldown-multivalue field 1.jpg

And here is the form that opens after clicking a value for badges:

5.0-dynamic drilldown-multivalue field 2.jpg

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 View the Article History for its revisions.


Comments

Shouldn't the XML in the section "Dashboard linking to a Splunk form" reference /app/search/FormsSearchDrillDown in the URL?

Beaumaris
April 10, 2014

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!