Dashboards and Visualizations

 


Drilldown behavior

Drilldown behavior

Visualizations have drilldown behavior enabled by default. The exception is the single value visualization, which has drilldown disabled by default. A user clicks on a visualization to launch a detailed search that is driven by captured values from the location of the click. The detailed search opens in the Search page. The detailed search duplicates the original search but removes the final transforming command, replacing it with the value captured from the visualization.

The value captured for drilldown differs, depending on the visualization. You can configure drilldown behavior from either the Panel Editor or the underlying simple XML code. See Default drilldown behavior to configure drilldown behavior from the Panel Editor. See the Panel visualization elements in the Simple XML Reference to configure drilldown behavior in simple XML code.

You can implement dynamic drilldown to customize the drilldown behavior. Use the <drilldown> tag and other related tags in simple XML code to implement dynamic drilldown. With dynamic drilldown, you can specify a link to another page to display the results or you can specify a contextual drilldown to the same page. See Dynamic drilldown for details.

Default drilldown behavior

The default drilldown behavior differs, depending on the visualization.

The Simple XML Reference provides details on configuring drilldown behavior in simple XML code. You can also configure drilldown behavior from the Panel Editor.

  1. From the dashboard, click Edit > Edit Panels.
  2. From the panel, click the visualization formatting icon.
  3. In the Drilldown field, specify the drilldown option
  4. Click Apply. Click Done.

Note: You cannot specify drilldown for a single value visualization from the Panel Editor. You specify drilldown behavior in simple XML code. See Single value for details.

The following topics discuss the drilldown properties for each visualization.

Chart

The chart visualization has two options for drilldown behavior available from the Panel Editor.

Drilldown Option Description
Yes Default. Enables drilldown behavior.
No Disables drilldown for the chart.

The drilldown behavior for a chart differs, depending on if you click the chart or click the chart legend.

When you click a data point in the chart, the resulting drilldown search captures the value of the field or series for the Y-axis of a chart. The exception is a pie chart, which does not have a Y-axis. The drilldown search for a pie chart captures the value of the selected segment.

When you click a chart legend, the generated drilldown search adds the clicked field to the base search for the chart. If the legend displays a calculated value instead of fields, the drilldown search is the base search that drives the data in the chart.

Bar chart drilldown example

The bar chart in this example uses the following search to display results.

index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | sort 10 - sum(cpu_seconds)

Viz drilldownChart.png

A drilldown selection on the linebreaker processor result generates the following detailed search.

index="_internal" source="*metrics.log" group="pipeline" processor=linebreaker

Chart legend drilldown examples

This example shows the drilldown search when you click a field in the chart legend.

Viz drilldown chart legend.png

Search that drives the chart:

index=_internal | timechart count by sourcetype

Drilldown search from when you click the scheduler field in the chart legend:

index=_internal sourcetype=scheduler

This example show the drilldown search generated when you click a calculated value in the chart legend:

Viz drilldown chart legend2.png

Search that drives the chart:

index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | sort 10 - sum(cpu_seconds)

Drilldown search when you click a calculated value in the chart legend:

index="_internal" source="*metrics.log" group="pipeline"

Events visualization

You can choose three different ways to display events:

  • Raw
  • List
  • Table

The drilldown options available for events visualizations differ for each of these display types.

The examples in this section that illustrate drilldown from an events visualization use the following search. The following screen capture shows the search in an events list, but you could also display the data as raw events or in a table.

index=_internal earliest=-1d | stats count by log_level

Viz drilldownEvent.png

Events are a core concept of Splunk Enterprise. For more information on events, see About event types.

Events as raw and list

For data displayed as raw events or in a list, drilldown behavior depends on your mouse-over selection of a segment in the event listing. You can specify the type of selection as full, inner, or outer. For more information, see Types of event segmentation.

Depending on the drilldown option, you mouse over a major segment, contiguous minor segments, or a minor segment. After mousing over a selection, click to launch a detailed search.

The following examples show the ways you can select an event for drilldown. The examples derive from the event visualization shown above.


Drilldown Option Description Example
Full Select a major segment, or one or more contiguous minor segments. The first example shows the mouse over for minor segments. The second example shows the selection of a major segment. Viz drilldownEventFull2.png

Viz drilldownEventFull.png
Inner Select a single minor segment. Viz drilldownEventInner.png
Outer Select a complete major segment. Viz drilldownEventOuter.png
None Disables drilldown.

Events as table

If you display events as a table, the user can select a cell in the table for drilldown. This launches a detailed search based on the value of the first column in the row, which is the time of the event. You can enable or disable drilldown for events displayed in a table.

The Event visualization, displayed in a table, has two options for drilldown behavior available from the Panel Editor.

Drilldown Option Description
On Default. Enables drilldown behavior.
Off Disables drilldown behavior.

The following visualization displays events as a table. You can click on any cell for drilldown. This table uses the same search as the example in the introduction to Events visualization.

index=_internal earliest=-1d | stats count by log_level

Viz drilldownEventTable.png

The resulting detailed search captures the value in the initial column for the search, which is the time specified for the base search.

index=_internal earliest=-1d

Map

The map visualization provides default drilldown behavior for a cluster on a map. When you click on a cluster you generate a detailed search based on the boundaries of the cluster. See map event tokens for details on all map tokens available for drilldown.

The map visualization has two options for drilldown behavior available from the Panel Editor.

Drilldown Option Description
Yes Default. Enables drilldown behavior.
No Disables drilldown.

The following search generates a map showing California earthquakes of magnitude greater than 3 for the past 30 days.

index=main mag>3 | geostats latfield=latitude longfield=longitude count

Viz drilldownMap.png

When you click on a cluster indicating earthquake data, you generate a detailed search based on the latitude and longitude boundaries of that cluster.

index=main mag>3 | search latitude>=36.21094 latitude<36.56250 longitude>=-122.34375 longitude<-121.64062
Note: This example uses earthquake data downloaded from the USGS Earthquakes website.

Single value

You enable drilldown behavior for a single value visualization in simple XML code. Specify all for the drilldown option.

<single>
  <searchString>
    index=_internal source="*splunkd.log" (log_level=ERROR 
    OR log_level=WARN* OR log_level=FATAL 
    OR log_level=CRITICAL) | stats count as log_events 
    | rangemap field=log_events low=1-100 elevated=101-300 default=severe
  </searchString>
  <title>Log events</title>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="classField">range</option>
  <option name="afterLabel">total logging events</option>
  <option name="beforeLabel">Found</option>
  <option name="drilldown">all</option>
</single>

Viz drilldownSingle.png

Click the value in the visualization to generate the following detailed search.

index=_internal source="*splunkd.log" (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL)

Table

The table visualization has three options for drilldown behavior available from the Panel Editor.

Drilldown Option Description
cell Default. For the selected cell, captures the value for the first column in a row and the value for the selected column. The generated drilldown search searches with these values.
row Captures the value from all cells in the selected row for the drilldown search.
none Disables drilldown for the table.

The examples that illustrate the row and cell drilldown options derive from the following table. The following search drives the data listed in this table.

index=_internal earliest=-1d | stats count by sourcetype log_level component

Viz drilldownTable.png

Row drilldown option

If you configure a table with the row drilldown option and click on a cell in the table, the drilldown search uses the values for all columns in the table. In this example, a click anywhere in the first row generates the following drilldown search.

index=_internal earliest=-1d sourcetype=splunk_web_service log_level=ERROR component=utility

Cell drilldown option

If you configure a table with the cell drilldown option and click on a cell in the table, the drilldown search combines the value for the column of the selected cell with the value for the initial column in the row. In this example, a click in the log_level column of the first row generates the following search.

index=_internal earliest=-1d sourcetype=splunk_web_service component=utility

Dynamic drilldown

Use dynamic drilldown to customize drilldown behavior. With dynamic drilldown you can specify the following custom targets for the generated detailed search:

  • A dashboard or form in an app in your Splunk Enterprise installation
  • A third-party URL
  • A location on the same page (contextual drilldown)

Dynamic drilldown elements

You implement dynamic drilldown in simple XML code using the <drilldown> element with other simple XML elements. See Drilldown elements in the Simple XML Reference for details.

Element Description
<drilldown> Define custom destinations. Parent element of the other dynamic drilldown elements.
<condition> Specify fields that generate drilldown actions.
<link> Specify a target destination for a detailed search.
<set> Publish global tokens that can be consumed by any other element or search within a dashboard. Use <set> and <unset> when displaying drilldown results on the same dashboard. See Contextual drilldown elements.
<unset> Remove a token that was previously set. Use <set> and <unset> when displaying drilldown results on the same dashboard. Use <set> and <unset> when displaying drilldown results on the same dashboard. See Contextual drilldown elements.

Drilldown event tokens

Dynamic drilldown uses drilldown event tokens to customize the values you capture from a visualization. The tokens available depends on the visualization.

For example, for a map visualization, the tokens specify the field and value from a map marker as well as latitude and longitude values. For a table visualization, the tokens specify the name and value returned from a clicked cell. The following table lists the drilldown event tokens available for a table visualization. See Drilldown event tokens in the Simple XML Reference for a complete list of tokens available for all visualizations.

Token Description
click.name Name of the leftmost field that is displayed in the table. This is always _time, if present.
click.value Value of the left-most column in the clicked row.
click.name2 Name of the clicked column.
click.value2 Value of the clicked column.
row.<fieldname> All field values for the clicked table row, including those fields that are not displayed.
earliest/latest Time range of the clicked table row, or if not applicable, the time range of the search.

Drilldown event tokens differ from the tokens you define with the <set> element. Drilldown event tokens are pre-defined for capturing values from a click in a visualization. Tokens that are defined with the <set> element specify values that the target destination consumes.

Specify a destination link

The <link> element provides various options for specifying the destination for dynamic drilldown. For details, see <link> element in the Simple XML Reference.

You can specify the following:

  • Specify a dashboard in the same or different app in your Splunk Enterprise instance.
  • Pass in a token value to populate a form in the destination target.
  • Pass in earliest and latest values to define the search terms in the destination form.
  • Open a third party URL, optionally passing in the value captured by the drilldown action as a query argument.
  • Specify target values for the <a> HTTP anchor tag, indicating how to open the target HTTP web page.

When used with the <condition> element, you can specify the name of the field or series from which to capture values for drilldown.

Dynamic drilldown example

This example shows how to pass a drilldown value from a dashboard to a form that is in a separate app. The dashboard contains a table. A click anywhere in a row of the table captures the value for the source type from the first column in the row. This value is passed as the input value to the form.

This is the dashboard containing the table.

Viz DynamicDrilldownToForm.png

This is the form, which is in a separate app. The value passed from the dashboard becomes the input to the form. The form shows the results when a user of the dashboard clicks anywhere in the row for splunk_web_service source type.

Viz DynamicDrilldownForm.png

Dashboard implementing dynamic drilldown

  • Uses the <drilldown> and <link> elements.
  • Specifies the target attribute in <link> to open the target in a new page.
  • References the src_type_tok token, which is defined in the target form.
  • Specifies row for the drilldown option.

Form

  • Defines the src_type_tok token
  • Populates the text input with the value passed in for the token and runs the form.

Source code for the table in the dashboard that implements dynamic drilldown:

<table>
  <title>Source type</title>
  <searchString>
    index="_internal" | chart count by sourcetype
    | sort sourcetype
  </searchString>
  <earliestTime>-7d@h</earliestTime>
  <latestTime>now</latestTime>
  <drilldown>
    <link target="_blank">
      /apps/MyApp/drilldown_dynamic_target_form?form.src_type_tok=$row.sourcetype$
    </link>
  </drilldown>
  <option name="drilldown">row</option>
</table>

Source code for the form that accepts the passed in value:

<form>
  <label>Dynamic Drilldown (Target Form)</label>
  <description/>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="src_type_tok" searchWhenChanged="true">
      <label>Source type</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Source type details</title>
        <searchString>
          index=_internal | timechart span=1week count by $src_type_tok$
        </searchString>
        <earliestTime>-30d@d</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

Single value drilldown using hidden fields

From a single value visualization you can drill down on hidden fields. This example is from an app that provides access to online government regulation documents. It uses a single value visualization to display a selected regulation. When you click the regulation, a new browser window opens at the government regulations website, displaying the online document for the regulation.


Viz Single HiddenField.png


Viz Single HiddenField target.png

The example app uses a global search that returns information about government agencies, regulations, and regulation IDs. It contains two single value visualizations that use post process searches to obtain the values to display.

There are two dropdowns:

  • Select an agency
    Selects a government agency, displaying the name of the agency selected as a single value visualization.
  • Select a regulation
    Selects a regulation from the selected agency, displaying the regulation name as a single value.

The second single value visualization consumes the fields regulation_docketTitle and docketId from its post process search. However, a single value field can only display the first returned value, which is the regulation_docketTitle in this example.

The visualization uses the <drilldown> element to drill down on the "hidden value field," docketId. It specifies the hidden field in the $row.<field>$ drilldown event token. See Single event tokens for a list of all drilldown event tokens.

$row.docketId$

The following source code shows how to access the hidden value field for single value visualizations.

<form stylesheet="regulations_explorer.css">
  <label>Regulations Explorer</label>

  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="agency" searchWhenChanged="true">
      <label>Select an Agency</label>
      <populatingSearch earliest="$earliest$" latest="$latest$" . . .>
        <!-- populating search for input -->
      </populatingSearch>
      <choice value="*">ALL</choice>
      <default>*</default>
    </input>

    <input type="dropdown" token="docket" searchWhenChanged="true">
      <label>Select a regulation</label>
      <populatingSearch fieldForValue="docketTitle" fieldForLabel="docketTitle">
        <!-- populating search for input -->
      </populatingSearch>
    </input>
    
    <!-- time picker input -->
  </fieldset>


  <!-- Global search for post process                       -->
  <!-- Provides docketId and regulation_docketTitle fields  --> 
  <!-- That are consumed by the single value visualization  -->  
  <searchTemplate>
    | pivot regulations Regulations_Data count(Regulations_Data)
    AS "Count of Regulations Data" SPLITROW docketId
    AS "docketId" SPLITROW docketTitle
    AS "regulation_docketTitle" SPLITROW commentStatus
    AS "regulation_comment_status" SPLITROW commentEndDateLong
    AS "regulation_comments_end_date" SPLITROW commentStartDateLong
    AS "regulation_comment_start_date" SPLITROW agency_name
    AS "agency_name" FILTER docketTitle contains $docket|s$
    | sort - regulation_comment_start_date| head 1
  </searchTemplate>
  . . . 
  <row>
    <panel>
      <single>
        <!-- Displays regulation_docket title --> 
        <searchPostProcess>
            | fields regulation_docketTitle, docketId
        </searchPostProcess>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>

        <drilldown>
          <link>
            <![CDATA[ http://www.regulations.gov/#!docketDetail;D=]]>$row.docketId$
          </link>
        </drilldown>
      </single>
    </panel>
  </row>
  . . .
</form>

Contextual drilldown elements

Contextual drilldown generates results to a visualization on the same dashboard. Compare to the dynamic drilldown example above, which generates drilldown results from one dashboard to a separate form. Use the <condition> element with the <drilldown>, <set>, and <unset> elements to implement contextual drilldown.

Use the <condition> element as a child of the <drilldown> element. The field attribute of the <condition> element specifies the fields whose values you want to capture. The <condition> element lets you specify different actions for the drilldown, depending on the field clicked.

Use the <set> token to assign the value from a drilldown token to another token that the target of the drilldown consumes. The <set> element is a child of the <condition> element. The <unset> element removes a token that was previously set.

Use the depends and rejects attributes of panel visualization elements to specify tokens that need to be present to display a visualization.

Basic contextual drilldown example

This example shows how a click anywhere in a row of a table passes a value to a chart on the same page. The drilldown captures the value from the first column in the clicked row to pass to the chart. The chart is hidden until a user clicks on the table.

Viz inpage drilldown.png

This example uses the <set> element to set the src_type_tok to the value returned from the $click.value$ drilldown token, which is the value from the first column in the table. See table event tokens.

The chart consumes the src_type_tok in the depends attribute to the <chart> element, the <title> element, and in the search. The depends attribute prevents the chart from displaying until a user clicks in the table.

<dashboard>
  <row>
    <table>
      <title>Set sourcetype token on click</title>
      <searchString>
        index=_internal | stats count by sourcetype
      </searchString>
      <earliestTime>-4h</earliestTime>
      <latestTime>now</latestTime>
      <drilldown>
          <set token="src_type_tok">$click.value$</set>
      </drilldown>
    </table>
    <chart depends="$src_type_tok$">
      <title>Chart for $src_type_tok$</title>
      <searchString>
        index=_internal sourcetype=$src_type_tok$ | timechart count by sourcetype
      </searchString>
      <earliestTime>-4h</earliestTime>
      <latestTime>now</latestTime>
    </chart>
  </row>
</dashboard>

Contextual example from map visualization

This example show how to drill down to markers on a map visualization. The map visualization shows earthquake activity for the past month. The generated search on a map marker displays in a bar chart with details from the map data. For example, a click on the marker straddling Montana, Utah, and Wyoming generates the chart on the right.

Viz Map dynamic.png

Note: This example uses earthquake data downloaded from the USGS Earthquakes website.

The following search shows earthquake activity for incidents greater than magnitude .9.:

index=main mag > .9 | geostats latfield=latitude longfield=longitude count

The <drilldown> element sets tokens based on the bounds of a marker showing clustered locations. The captured values derive from the click.bounds.<orientation> map token. See map event tokens for details on all map tokens available for drilldown.

<drilldown>
  <set token="bounds.north" > $click.bounds.north$</set>
  <set token="bounds.east"  > $click.bounds.east$</set>
  <set token="bounds.south" > $click.bounds.south$</set>
  <set token="bounds.west"  > $click.bounds.west$</set>
</drilldown>

The chart contains the following search, which consumes the tokens that the drilldown action generates:

index=main mag > .9 | search latitude >= $bounds.south$ latitude < $bounds.north$ longitude >= $bounds.west$ longitude < $bounds.east$ | top place

Here is the source code that implements this contextual drilldown example:

<row>
  <panel>
    <map>
      <searchString>
        index=main mag>.9 
        | geostats latfield=latitude longfield=longitude count
      </searchString>
      <earliestTime>0</earliestTime>
      <latestTime/>
      <option name="mapping.data.maxClusters">1000</option>
      <option name="mapping.drilldown">all</option>
      <option name="mapping.map.center">(39.3,-95.98)</option>
      <option name="mapping.map.zoom">4</option>
      <option name="mapping.markerLayer.markerMaxSize">40</option>
      <option name="mapping.markerLayer.markerMinSize">20</option>
      <option name="mapping.markerLayer.markerOpacity">0.9</option>
      <option name="mapping.tileLayer.maxZoom">7</option>
      <option name="mapping.tileLayer.minZoom">0</option>
      <drilldown>
        <set token="bounds.north">$click.bounds.north$</set>
        <set token="bounds.east">$click.bounds.east$</set>
        <set token="bounds.south">$click.bounds.south$</set>
        <set token="bounds.west">$click.bounds.west$</set>
      </drilldown>
      <option name="mapping.tileLayer.url">
        http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
      </option>
    </map>
  </panel>
  <panel>
    <chart>
      <title>Places</title>
      <searchString>
        index=main mag>.9 | search 
        latitude >= $bounds.south$ 
        latitude < $bounds.north$
        longitude >= $bounds.west$ 
        longitude < $bounds.east$ 
        | top place
      </searchString>
      <earliestTime>0</earliestTime>
      <latestTime/>
      <option name="charting.chart">bar</option>
    </chart>
  </panel>
</row>

Contextual example with multiple conditions

This example sets multiple conditions for drilldown. It contains a table listing event counts for source types by log level. A click in the table generates a detail chart. The detail chart is not visible until the user drills down from the table. The content of the detail chart differs, depending on where a user clicks in the table.

  • Click the sourcetype or Total column
    The detail chart displays details for all log levels.
  • Click a log level column
    The detail chart displays details for that log level.

Viz inpage drilldown1.png


Viz inpage drilldown2.png


This example sets three conditions using the field attribute of the <condition> tag. Each condition sets token values for $s_sourcetype$ and $s_log_level$. The search in the detail chart consumes these tokens.

   <drilldown>
     <condition field="sourcetype">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">*</set>
     </condition>
     <condition field="Total">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">*</set>
     </condition>
     <condition field="*">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">$click.name2$</set>
     </condition>
   </drilldown>

For all columns in the table, the token $s_sourcetype$ captures the value from the $row.sourcetype$ table token. This sets the value to the source type of the clicked cell.

For the sourcetype and Total columns, a click sets the $s_log_level$ token value to '*'.

For the log level columns, a click sets the $s_log_level$ token value to the value of the $click.name2$ table token. This token captures the name of the column of the clicked table cell.

The <chart> element for the detail chart sets the value of the depends attribute to $s_sourcetype$. The chart does not display until drilldown from the table sets this token.

<chart depends="$s_sourcetype$">

Here is the source code implementing this dynamic drilldown example:

<panel>
  <table>
    <title>Events: Source type by log level</title>
    <searchString>
      index=_internal log_level=*
      | chart count over sourcetype by log_level | addtotals
    </searchString>
    <earliestTime>-7d@h</earliestTime>
    <latestTime>now</latestTime>
    <option name="drilldown">cell</option>
    <drilldown>
      <condition field="sourcetype">
        <set token="s_sourcetype">$row.sourcetype$</set>
        <set token="s_log_level">*</set>
      </condition>
      <condition field="Total">
        <set token="s_sourcetype">$row.sourcetype$</set>
        <set token="s_log_level">*</set>
      </condition>
      <condition field="*">
        <set token="s_sourcetype">$row.sourcetype$</set>
        <set token="s_log_level">$click.name2$</set>
      </condition>
    </drilldown>
  </table>
</panel>
<panel>
  <chart depends="$s_sourcetype$">
    <title>
      Events: sourcetype="$s_sourcetype$" and log_level="$s_log_level$"
    </title>
    <searchString>
      index=_internal sourcetype="$s_sourcetype$"
      log_level="$s_log_level$" | timechart count
    </searchString>
    <earliestTime>-7d@h</earliestTime>
    <latestTime>now</latestTime>
  </chart>
</panel>

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!