Understand basic table and chart drilldown actions

Understand basic table and chart drilldown actions

Splunk's table and chart 'drilldown actions enable you to delve deeper into the details of the information presented to you in tables and charts. With a simple click on a table row or a bar in a bar chart, you can kick off searches that drill down to provide more information about those discrete selections.

This topic provides some examples of this functionality as configured with simple XML via the visual dashboard designer. It also briefly goes over some of the drilldown functionality that can be configured through the advanced XML.

When you click on drilldown-enabled tables or charts, Splunk opens a separate window for the search.

Note: Drilldown functionality does not work for simple XML dashboard panels that are based on searches of summary indexes. To set up drilldown for dashboards utilizing these types of searches, you need to perform "custom wiring" with the advanced XML. For more information, see "Advanced drilldown behavior" in this topic.

For a general overview of Splunk visualization options, see "Visualization Reference," in this manual.

Overview of drilldown functionality for table and chart visualizations

Drilldown functionality enables you to click on the table or chart to set off a search that drills down for more detail on that table or chart. For example, say you have a panel based on this simple search, which runs over the past 24 hours:

From this search, you can get the following table visualization:

referrer	count
http://prettypwnny.com	243
http://deepthaduke.com	65

If this table is set up for row drilldown, when you click on the first row of the panel, Splunk will move to the Search view and run the following search:

...which provides detail information on the 404 error events associated with the PrettyPwnny referrer over the specified search duration.

Setting drilldown options for tables and charts in dashboard panels

Splunk's four search result visualization options produce tables and charts that have drilldown functionality enabled by default. But the Visualization Editor for dashboard panel visualizations gives you the ability to determine the granularity of the functionality for tables, and enables you to turn the functionality on or off for both tables and charts.

For more information about using the Visualization Editor, see "Edit dashboard panel visualizations," in this manual.

Table visualizations in dashboard panels have three drilldown options in the Visualization Editor. They are:

• Row, which means that a click on a row sets off a search across the x-axis value represented by that row. For example, if the row represents a specific period of time, then a click on that row sets off a search that is identical to the search that generated the chart, except that it only covers the time range that the row represents.
• Cell, which sets off a search that is restricted to the x-axis value (the row) and the y-axis value (the column) represented by the cell, when the originating search includes a "split by" clause.
• Off, which turns off the drilldown functionality for the table.

For example, you could use a cell-click in a table resulting from a "timechart count by clientip" search, where the columns are values of clientip, like 192.168.0.14. The timeline for the resulting search shows when those events occurred during that period.

Note: Tables produced by the Report Builder, Advanced Charting view, and the the Search app timeline view have cell-level drilldown functionality by default. Tables produced for dashboard panels have row-level drilldown functionality by defualt.

Dashboard chart visualizations such as bar, column, line, area, and pie charts have two drilldown options in the Visualization Editor. They are:

• Yes, which enables drilldown functionality for the visualization. This lets you drill down on a particular part of a chart or legend by clicking on it. For example, when you click on a particular column of a column chart generated by a timechart command, Splunk runs a search (based on the original search used to generate the bar chart) that covers only the block of time represented by that column.
• No, which turns off the drilldown functionality for the visualization.

For more information about how table and data series visualization drilldown actions actually work, see the following subtopics.

You can specify much more complex drilldown actions when you design them using advanced XML. For more information about designing drilldown actions for dashboards and views see the Developer manual.

Basic table drilldown functionality

As we explain above, you have three basic drilldown options when you define chart visualization types with the Visualization Editor:

• None - Drilldown functionality is turned off.
• Row - A click on a row launches a drilldown search on the x-axis value (the value in the first column of the table) for that row.
• Cell - A click on a cell launches a drilldown search on both the x-axis and y-axis values represented in that cell.

In general, when the search involved in the creation of the original table uses transforming commands, the drilldown wipes out the final transforming command and replaces it with arguments that drill down on the specific x-axis value or x- and y-axis value combination caught by the click. See the subsections below for examples of how this works.

Row drilldown

When a table in a dashboard panel has a Drilldown value of Row, you can initiate drilldown searches along whole rows by clicking on them.

Imagine that you have a dashboard table that is based on this search:

In this table, a "row click" drilldown search would concentrate on the x-axis value of the selected row, which in this case would be a value of the series field, such as fs_notification:

This click sets off the following search in the Search app, which finds six results:

Note that the drilldown search is basically the same as the original search, except that the transforming command has been removed and replaced with a drilldown search term of series="fs_notification".

Cell drilldown

When a table has a Drilldown value of Cell, you can initiate drilldown searches for specific cells by clicking on them.

Say you have a table generated by the following search:

In this table, a "cell click" drilldown search would concentrate on a combination of the x-axis value (the value in the first column for the cell's row) and the y-axis value (the value of the cell's column).

In this example, the clicked on cell initiates the following drilldown search over the 4:40:00pm to 4:40:59pm time range on 12/15/09 (the x-axis value) and adds a focus on the audittrtail value of the series field (the y-axis value):

Note that this drilldown search removes the last transforming command from the originating search.

Note: The y-axis value will not come into play in all cell drilldown searches. Cell-click interactions are designed to work with tables and charts generated by searches containing a "split by" clause. Cell clicks in charts based on reporting commands like timechart max(eps) min(eps) avg(eps) will always behave like row clicks. Such tables should always be configured for row-click drilldown; this approach is less confusing for users of the table.

Basic chart drilldown functionality

As we explain in "Create simple dashboards with the visual dashboard editor," you have two basic drilldown options when you define chart panel types with the visual dashboard editor:

• Off - Drilldown functionality is turned off.
• On - A click on a portion of a chart launches a drilldown search into the values that that portion of the chart represents.

In general, when the search involved in the creation of the original table uses transforming commands, the drilldown wipes out the final transforming command and replaces it with arguments that drill down on the specific x-axis value or x- and y-axis value combination caught by the click. See the subsections below for examples of how this works.

Bar, column, line, and area chart drilldown

Drilldown searches on dashboard bar, column, line, and area charts behave differently depending on whether you click in the body of the chart or in the chart legend, if a legend is displayed.

In general, no matter what you click in the body of a row, column, line, or area chart, Splunk creates a drilldown search that:

• duplicates the search that originated the chart, except with the final transforming commands removed.
• adds a new search term based on the "x-axis" value that you select in the chart.
• possibly adds a "y-axis" value, depending on whether a meaningful y-axis value exists in the originating search. For example, most split-by values work as "y-axis" values. But things like avg(eps) will not.

Say you have a bar chart based on the following search:

In this chart, the x-axis is the processor value, while the y-axis is the cpu_seconds sum over the given time range (the last 60 minutes).

If you click in the body of this chart, the drilldown search drills down on the x-axis value represented by that bar:

Note that the drilldown search is identical to the original search except that the final set of transforming commands has been removed and a focus has been added on the aggregator value of processor.

Drilldown searches on legend items are different. Drilldown searches for chart legends only work when there is a split-by (or y-axis) field in the chart. For example, legend items for a line chart based on timechart avg(eps) by series are values of series, such as audittrail. A click on the audittrail item results in a drilldown search in which series=audittrail is added to the originating search. Legend item drilldown searches always run over the same time range as the originating search.

Note: Sometimes the legend element is something that can't really be drilled down into, like avg(eps). Clicks on such legend items return an error message.

Pie chart drilldown

Pie charts provide identical drilldown behavior whether you click in the body of the chart--a pie slice, in other words--or the label pointing to that slice. Either way, the drilldown focuses on the value represented by the slice or label you click on.

So if the pie chart displays the top processors being utilized over the past 24 hours, and you click on the chart portion or legend item representing the indexer processor, then the drilldown search will be the same as the original, only with the transforming command removed and processor=indexer added. You'll get the same result if you click on the indexer label.

Advanced drilldown behavior

The default table and chart drilldown functionality that you can get out of dashboards created with simple XML is just the start. When you create dashboards using advanced XML, you have a range of table/chart drilldown customization options that can greatly enhance your users' dashboard experience.

For example, you can set up dashboards that:

• Open the search in a view other than the default "flash timeline" search view.
• Have a drilldown click open up a new table or chart beneath the initial panel. Click on a table cell, and see a line chart open up underneath that table that displays the drilldown results.
• Include a nested series of drilldown searches. A click in a bar chart opens a table. A click in that table opens a line chart. And click in that line chart opens a search in a separate window.
• Launch a different search than the search that generates the data in the table or chart. For example, if you've built many charts and tables on searches of a particular summary index, you might want to send your users to a search that isn't based on that summary index.

For more information about setting up advanced drilldown actions like the ones described above, see "How to customize drilldown options" in the Developer manual.

• Was this topic useful?
• Post a comment