Dashboards and Visualizations

 


Understand basic table and chart drilldown actions

Understand basic table and chart drilldown actions

Splunk's table and chart drilldown actions enable you to delve deeper into the details of the information presented to you in tables and charts. With a simple click on a table row or a bar in a bar chart, you can kick off searches that drill down to provide more information about those discrete selections.

This topic provides some examples of this functionality as configured with simple XML via the visual dashboard designer. It also briefly goes over some of the drilldown functionality that can be configured through the advanced XML.

When you click on drilldown-enabled tables or charts, Splunk opens a separate window for the search.

Note: Drilldown functionality does not work for simple XML dashboard panels that are based on searches of summary indexes. To set up drilldown for dashboards utilizing these types of searches, you need to perform "custom wiring" with the advanced XML. For more information, see "Advanced drilldown behavior" in this topic.

For a general overview of Splunk visualization options, see "Visualization Reference," in this manual.

Overview of drilldown functionality for table and chart visualizations

Drilldown functionality enables you to click on the table or chart to set off a search that drills down for more detail on that table or chart. For example, say you have a panel based on this simple search, which runs over the past 24 hours:

sourcetype=apache 404 | top referrers

From this search, you can get the following table visualization:

referrer count
http://prettypwnny.com 243
http://deepthaduke.com 65

If this table is set up for row drilldown, when you click on the first row of the panel, Splunk will move to the Search view and run the following search:

search sourcetype=apache 404 referrer="http://prettypwnny.com"

...which provides detail information on the 404 error events associated with the PrettyPwnny referrer over the specified search duration.

Setting drilldown options for tables and charts in dashboard panels

Splunk's four search result visualization options produce tables and charts that have drilldown functionality enabled by default. But the Visualization Editor for dashboard panel visualizations gives you the ability to determine the granularity of the functionality for tables, and enables you to turn the functionality on or off for both tables and charts.

For more information about using the Visualization Editor, see "Edit dashboard panel visualizations," in this manual.

Table visualizations in dashboard panels have three drilldown options in the Visualization Editor. They are:

  • Row, which means that a click on a row sets off a search across the x-axis value represented by that row. For example, if the row represents a specific period of time, then a click on that row sets off a search that is identical to the search that generated the chart, except that it only covers the time range that the row represents.
  • Cell, which sets off a search that is restricted to the x-axis value (the row) and the y-axis value (the column) represented by the cell, when the originating search includes a "split by" clause.
  • Off, which turns off the drilldown functionality for the table.

For example, you could use a cell-click in a table resulting from a "timechart count by clientip" search, where the columns are values of clientip, like 192.168.0.14. The timeline for the resulting search shows when those events occurred during that period.

Note: Tables produced by the Report Builder, Advanced Charting view, and the Search app timeline view have cell-level drilldown functionality by default. Tables produced for dashboard panels have row-level drilldown functionality by default.

Dashboard chart visualizations such as bar, column, line, area, and pie charts have two drilldown options in the Visualization Editor. They are:

  • Yes, which enables drilldown functionality for the visualization. This lets you drill down on a particular part of a chart or legend by clicking on it. For example, when you click on a particular column of a column chart generated by a timechart command, Splunk runs a search (based on the original search used to generate the bar chart) that covers only the block of time represented by that column.
  • No, which turns off the drilldown functionality for the visualization.

For more information about how table and data series visualization drilldown actions actually work, see the following subtopics.

You can specify much more complex drilldown actions when you design them using advanced XML. For more information about designing drilldown actions for dashboards and views see the Developer manual.

Basic table drilldown functionality

As we explain above, you have three basic drilldown options when you define chart visualization types with the Visualization Editor:

  • None - Drilldown functionality is turned off.
  • Row - A click on a row launches a drilldown search on the x-axis value (the value in the first column of the table) for that row.
  • Cell - A click on a cell launches a drilldown search on both the x-axis and y-axis values represented in that cell.

In general, when the search involved in the creation of the original table uses transforming commands, the drilldown wipes out the final transforming command and replaces it with arguments that drill down on the specific x-axis value or x- and y-axis value combination caught by the click. See the subsections below for examples of how this works.

Row drilldown

When a table in a dashboard panel has a Drilldown value of Row, you can initiate drilldown searches along whole rows by clicking on them.

Imagine that you have a dashboard table that is based on this search:

index="_internal" group="per_sourcetype_thruput" | chart sum(kbps) over series

In this table, a "row click" drilldown search would concentrate on the x-axis value of the selected row, which in this case would be a value of the series field, such as fs_notification:

Row click data table example.png

This click sets off the following search in the Search app, which finds six results:

index="_internal" group="per_sourcetype_thruput" series="fs_notification"

Note that the drilldown search is basically the same as the original search, except that the transforming command has been removed and replaced with a drilldown search term of series="fs_notification".

Cell drilldown

When a table has a Drilldown value of Cell, you can initiate drilldown searches for specific cells by clicking on them.

Say you have a table generated by the following search:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | timechart sum(kb) by series

In this table, a "cell click" drilldown search would concentrate on a combination of the x-axis value (the value in the first column for the cell's row) and the y-axis value (the value of the cell's column).

Cell click data table example.png

In this example, the clicked on cell initiates the following drilldown search over the 4:40:00pm to 4:40:59pm time range on 12/15/09 (the x-axis value) and adds a focus on the audittrtail value of the series field (the y-axis value):

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="audittrail"

Note that this drilldown search removes the last transforming command from the originating search.

Note: The y-axis value will not come into play in all cell drilldown searches. Cell-click interactions are designed to work with tables and charts generated by searches containing a "split by" clause. Cell clicks in charts based on reporting commands like timechart max(eps) min(eps) avg(eps) will always behave like row clicks. Such tables should always be configured for row-click drilldown; this approach is less confusing for users of the table.

Basic chart drilldown functionality

As we mentioned earlier in this topic, when you define chart panel types with the panel editor, you use the Drilldown control to determine whether drilldown functionality is enabled for the panel:

  • Off - Drilldown functionality is turned off.
  • On - A click on a portion of a chart launches a drilldown search into the values that that portion of the chart represents.

In general, when the search involved in the creation of the original table uses transforming commands, the drilldown wipes out the final transforming command and replaces it with arguments that drill down on the specific x-axis value or x- and y-axis value combination caught by the click. See the subsections below for examples of how this works.

Bar, column, line, and area chart drilldown

Drilldown searches on dashboard bar, column, line, and area charts behave differently depending on whether you click in the body of the chart or in the chart legend, if a legend is displayed.

In general, no matter what you click in the body of a row, column, line, or area chart, Splunk creates a drilldown search that:

  • duplicates the search that originated the chart, except with the final transforming commands removed.
  • adds a new search term based on the "x-axis" value that you select in the chart.
  • possibly adds a "y-axis" value, depending on whether a meaningful y-axis value exists in the originating search. For example, most split-by values work as "y-axis" values. But things like avg(eps) will not.

Say you have a bar chart based on the following search:

index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | sort 10 - sum(cpu_seconds)

In this chart, the x-axis is the processor value, while the y-axis is the cpu_seconds sum over the given time range (the last 60 minutes).

Bar chart drilldown body.png

If you click in the body of this chart, the drilldown search drills down on the x-axis value represented by that bar:

index="_internal" source="*metrics.log" group="pipeline" processor="indexer"

Note that the drilldown search is identical to the original search except that the final set of transforming commands has been removed and a focus has been added on the aggregator value of processor.

Drilldown searches on legend items are different. Drilldown searches for chart legends only work when there is a split-by (or y-axis) field in the chart. For example, legend items for a line chart based on timechart avg(eps) by series are values of series, such as audittrail. A click on the audittrail item results in a drilldown search in which series=audittrail is added to the originating search. Legend item drilldown searches always run over the same time range as the originating search.

Note: Sometimes the legend element is something that can't really be drilled down into, like avg(eps). Clicks on such legend items return an error message.

Pie chart drilldown

Pie charts provide identical drilldown behavior whether you click in the body of the chart--a pie slice, in other words--or the label pointing to that slice. Either way, the drilldown focuses on the value represented by the slice or label you click on.

So if the pie chart displays the top processors being utilized over the past 24 hours, and you click on the chart portion or legend item representing the indexer processor, then the drilldown search will be the same as the original, only with the transforming command removed and processor=indexer added. You'll get the same result if you click on the indexer label.

Drilldown, tables, and multivalue fields

If you have a table panel with a column that represents a multivalue field, and you want to be able to drill down on discrete values of that mutlivalue field, you'll need to make changes to the XML beneath the panel in order to make the drilldown action work as expected. This fix involves the $click.value2$ destination value, which is usually used for charts, not tables.

For more information see the multivalue drilldown example in "Dynamic drilldown in dashboards and forms," in this manual.

Advanced drilldown behavior

If you're willing to delve into the XML code that your dashboard is built upon, you have the opportunity to set up a variety of useful dynamic drilldown interactions for your dashboard users that go far beyond what we currently enable via the Splunk Web interface.

For example, you can set up dashboards with drilldown actions that:

  • Run the drilldown search in a new dashboard, rather than the Timeline view. For example, you could set up a table panel so that a click in a cell opens up dashboard with a line chart that displays the drilldown results. You can go further and use this method to set up a nested series of drilldown searches. For example: A click in a bar chart opens a table, a click in that table opens a line chart, and a click in that line chart opens a search in a separate window.
  • Pass a clicked value to a target form. For example, you could set up a table where a click on a product_type value opens up a form that has an open product_type field at the top and a series of panels underneath that use the product_type value in their searches. Unlike a regular dashboard the form enables the user to change the time range of the search and rerun it. The user can even enter a different product_type value.
  • Pass a clicked value as a query parameter to an external website or system. For example, you could have a dashboard with a table that shows the top venues for a specific city according to FourSquare checkin. You could set up a drilldown action for the Venue field in that table--when a specific value is clicked, such as the Four Seasons Hotel--the user is taken to the page for the Four Seasons Hotel on an external website that provides user-generated reviews.
  • Launch a different search than the search that generates the data in the table or chart.' For example, if you've built many charts and tables on searches of a particular summary index, you might want to send your users to a search that isn't based on that summary index.

For more information about setting up these drilldown actions in dashboards and forms built with simple XML, see "Dynamic drilldown in dashboards and forms," in this manual.

For more information about setting up these drilldown actions in dashboards and forms built with advanced XML, see "Customize drilldown options" in the Developing Views and Apps for Splunk Web manual.

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!