Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Dynamic drilldown in dashboards and forms

Splunk 5.0 introduces dynamic drilldown in dashboards and forms. With dynamic drilldown you can define custom destinations to link to when a user clicks on fields in a dashboard or form. The value captured by the click is passed to the destination. The destination can be another dashboard, form, or view within your Splunk installation or an external web page.

For example, the following dashboard lists sourcetype throughput as a table. Subsequent figures shows the results of dynamic drilldown for clicking the selected cell, "splunk_web_service."

Viz DrilldownTable.png



You can define destinations that open another form, passing in the sourcetype clicked.

Viz DrilldownTargetForm.png



You can also pass the value of what is clicked to a web page, such as Splunk Answers.

Viz DrilldownTargetWebPage.png



Note: Splunk offers basic drilldown capability out of the box. For more information about how this core drilldown functionality works, see "Understand basic table and chart drilldown actions," in this manual.

Dynamic drilldown basics

To implement dynamic drilldown use <drilldown> tags.

Place the <drilldown> tags within a table or chart. Within the <drilldown> tag, add one or more <link> tags. Use the <link> tag to specify a destination for the drilldown. For example:

<dashboard>

 <row> 
   <table>
     <title>Sourcetypes by source (Dynamic drilldown to a form)</title>
     <searchString>
       index="_internal" | stats dc(sourcetype) by sourcetype, source
     </searchString>
     <earliestTime>-60m</earliestTime>
     <latestTime>now</latestTime>
     <option name="count">15</option>
     <option name="displayRowNumbers">false</option>
     <option name="showPager">true</option>
     <drilldown>
      <link>
         /app/dashboard_examples/form_table2?form.sourcetype=$row.sourcetype$
       </link>
     </drilldown>   
   </table>
 </row>

</dashboard>

Specify destinations

Here is the syntax for specifying links:

<drilldown>

  <link>...</link>
  <link>...</link>
   . . .
  <link>...</link>

</drilldown>


There are various ways to specify a destination with the <link> tag. Here is the syntax for specifying a destination in a variety of scenarios:

1. Use a relative path to connect to a dashboard.
2. Use a relative path to connect to a form, passing in a token to populate the form.
3. Pass in the earliest and latest time range from the original search.
    (Requires use of CDATA, as indicated in the following sections.)
4. Use a URL and query argument to pass a value to the destination page

1) <link> path/viewname </link>
2) <link> path/viewname?form.token=$dest_value$ </link>
3) <link> path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$ </link>
4) <link> URL?q=$dest_value$ </link>

Capture values

There are various ways to capture a value from a dashboard or form and pass the value to the destination.

Use the field or series attribute to the <link> element to specify which values to capture. For tables, use the field attribute to capture the values from the specified column or row. For charts, use the series attribute to capture the values from the specified series.

For example, if your dashboard has a table with columns A, B, and C, consider the following examples:

1. Capture the value from a click in Column A and open a form with the captured value. Clicks in either Column A or Column B use default drilldown behavior.

<link field="A"> path/viewname?form.token=$dest_value$ </link>

2. Same behavior as 1 above, except a click in Column B passes the value as a query argument to a web page.

<link field="A"> path/viewname?form.token=$dest_value$ </link>
<link field="B"> URL?q=$dest_value$ </link>

Syntax for specifying destinations

Element Description
field Optional. A specific field from which to capture a value to pass to the destination.

Use field in tables to specify the field from a selected column.

When field is specified, clicks on any other field in a table do not result in redirection.

series Optional. A specific series from which to capture a value to pass to the destination.

Use series in charts to specify the series from which to capture a value.

When series is specified, clicks on any other series in a chart do not result in redirection.

path Specify a path to the destination view from the current view. Typically, you specify path as: /app/app_name/

However, you can also specify a relative path, based on the app context of the source and destination views.

You can also use the URL element to specify the URL to the destination view.

viewname The name of the Splunk view you are using for a destination.
$dest_value$ Specifies how to capture a value from a table or chart. See below for details.
URL Specify a URL to a web page. You must use the full address, including the protocol. For example: http://.
q When specifying a URL, use q to specify the value of dest_value in a query string to a web resource.

There are various ways you can specify dest_value to indicate the value to capture from the table or chart, as indicated below:

dest_value Description
click.name

click.name2

For use with tables.

click.name: The value in a table column
click.name2: The value in a table row

Note: For multivalue fields in a table, use click.value2. See Dashboard linking to a multivalue field example below.

click.value

click.value2

For use with charts.

For all charts, except Bar charts:
click.value: The value on the X-axis
click.value2: The value on the Y-axis
(for Bar charts, these values are reversed)

Note: Multivalue fields in a table also use click.value2. See Dashboard linking to a multivalue field example below.

form.token token specifies the token accepted as input by the target form. Use as a parameter to URL for the target form.

For example, you can populate a target form's form element that has a src token with the value of the src token of the source form's form element. Add the following parameter to the URL for the target form:

?form.src=$form.src$

earliest

latest

Pass the earliest and latest times to a search to the driildown target. Use as parameters to URL for the target view.

For example, add:

&earliest=$earliest$&latest=$latest$ 

to the drilldown target view URL. Use CDATA to escape the '&' in the parameters.

row.fieldname For use with tables.

Specifies the field from the selected row or column from which to capture the value.

Dynamic drilldown examples

This section provides examples of creating a dynamic drilldown in dashboards or forms. Most of the searches are based on data available from the Splunk Tutorial. If you want to download the data from the Splunk Tutorial to create the dashboards from these examples, see Get the sample data into Splunk.

Destination form

These examples assume that you have created the following form relative to the default Splunk search app. This form is the destination form in the examples.

FormSearchDrillDown: /app/search/FormsSearchDrillDown

<form>
  <label>Form search drilldown destination</label>
  
  <!-- define master search template, with replacement tokens delimited with $ -->
  <searchTemplate>sourcetype="$sourcetype$" | head 1000</searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>

  <html>
    Enter a sourcetype in the field below do display the most recent 1000 events
    from the metrics log concerning that sourcetype.
  </html>
  <fieldset>
      <!-- the default is a text box, with no seed value; if user does not input
          a value, then the $sourcetype$ token in searchTemplate will be removed -->
      <input token="sourcetype" />
  </fieldset>
  
  <row>
      <!-- output the results as a 50 row events table -->
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
  </row>
  
</form>

Dashboard linking to a Splunk form

This examples illustrates how to use a dashboard to implement drilldown from a table to a Splunk form.

The key to how this example works is in the <link> tag. The tag specifies the following:

  • Path to the target form, FormSearchDrillDown
  • The token to use in the target form, sourcetype
  • Pass the value of the processor field from the row selected to the destination form. In this dashboard, no matter where you click on a row, the value for processor in that row is grabbed.
  • Pass the earliest and latest times for the search to the target view.

Note: Use the CDATA section to ensure the '&' character is interpreted correctly.

<link>
<![CDATA[
  /app/dashboard_examples/form_table2?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
]]>
</link>


Here is the complete dashboard code:

Dashboard example that links to a Splunk form

<dashboard>
 <label>Dashboard with dynamic drilldown to a Splunk form</label>
  <row>

    <table>
      <searchString>
         index="_internal" group="per_sourcetype_thruput" |
         chart sum(kbps) over series
      </searchString>
      <title>Top sourcetypes (drilldown example)</title>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
      
     <drilldown>
       <link>
       <![CDATA[
  /app/dashboard_examples/form_table2?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
       ]]>
       </link>
     </drilldown>      
    </table>

  </row>
</dashboard>

Form linking to Splunk Answers website

This examples illustrates how to use a form to implement drilldown from a chart to an external website.

The key to how this example works is in the <link> tag. The tag specifies the following:

  • The complete URL to Splunk Answers
  • Uses $click.value$ to grab the value from the X-axis, and pass it as a query parameter to Splunk Answers
<link>
  http://splunk-base.splunk.com/integrated_search/?q=$click.value$
</link>


Here is the complete code for the form:

Splunk form that uses dynamic drilldown to link to an external website

<form>
  <label>Form Search (Beta)</label>
  
  <!-- define master search template, with replacement token delimited with $ -->
  <searchTemplate>
     index="_internal" group="per_sourcetype_thruput" series=$sourcetype$ 
     | chart sum(kbps) over series
   </searchTemplate>

  <fieldset>
     <!-- Use the html tag to specify text to display -->
     <html>
       <p>Enter a sourcetype in the field below. This view returns the most recent 1000 events for that sourcetype.</p>
       <p>In the Matching Events, click in the series column to open the value clicked in a new form</p>
     </html>

     <!-- The default input is a text box, with no seed value -->
     <input token="sourcetype" />
    
     <!-- Include a time picker -->
     <input type="time">
        <default>Last 30 days</default>
      </input>
  </fieldset>
  
  <row>
      <!-- output the results as a 50 row events table -->
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
        
        <!-- $click.value$ captures the value clicked by the user -->
        <!-- and passes it to the website as a query parameter        -->
        <drilldown>          
          <link>
             http://splunk-base.splunk.com/integrated_search/?q=$click.value$
          </link>
        </drilldown>
     </table>
  </row>
  
</form>

Dashboard linking to a multivalue field

If you have a dashboard that displays multivalue fields, you can specify a drilldown location specific to the value clicked. Multivalue fields are fields that appear multiple times in an event and have a different value for each appearance. See Configure multivalue fields for more information on multivalue fields.

Typically with values for a table, you specify $click.name$ or $click.name2$ to capture the value for drilldown from a column or row. However, for multivalue fields, use $click.value2$ to capture the selected value for drilldown. Additionally, the <link> tag uses the field attribute to limit the selection in the column to the multivalue field.

For example, here is how you capture the clicked value for the badges multivalue field in a dashboard. In this dashboard, badges represent user checkins to a FourSquare event during the Splunk 2012 Users Conference.

<link field="badges">

 /app/foursquare_vegas/vegas_badge_1?form.badge=$click.value2$

</link>

  • field:
    Limit the selection to this field
  • /app/foursquare_vegas/vegas_badge_1
    Target form for the drilldown action
  • form.badge:
    Token to use in the target form for the clicked value


Below is the complete source code for this dashboard. The dashboard also has two other drilldown links, plus implements sparklines (see "Add sparklines to search results" in the Search Manual).

Multivalue field drilldown is called out in the code.

<!-- Dashboard enabling drilldown for a multivalue field -->

<dashboard>
  <label>Demo: drilldown</label>
  <row>
    <table>
      <searchString>
        index=foursquare checkin.primarycategory.nodename=*
        | spath output=venue path=checkin.venue.name
        | spath output=badges path=checkin.badges{}.name
        | eval link="Yelp Search"
        | stats count as checkins sparkline values(badges)
              as "badges" values(link) as "links" by venue
        | sort -checkins
      </searchString>
      
      <format field="sparkline" type="sparkline">
        <option name="type">bar</option>
        <option name="height">30</option>
        <option name="barColor">green</option>
        <option name="colorMap">
          <option name="5:9">yellow</option>
          <option name="10:">red</option>
        </option>
      </format>
      <title>Top Venues</title>
      <drilldown>
        
        <!-- Mulitvalue field drilldown -->
        <link field="badges">
         /app/foursquare_vegas/vegas_badge_1?form.badge=$click.value2$
        </link>
        
        <link field="venue">
          /app/foursquare_vegas/vegas_venue_1?form.venue=$row.venue$
        </link>
        <link field="links">
          http://www.yelp.com/search?find_desc=$row.venue$&find_loc=Las+Vegas,+NV
        </link>
      </drilldown>
      
    </table>
  </row>  
</dashboard>


Here is the actual dashboard, which was demoed at the 2012 Splunk Users Conference:

5.0-dynamic drilldown-multivalue field 1.jpg

And here is the form that opens after clicking a value for badges:

5.0-dynamic drilldown-multivalue field 2.jpg

PREVIOUS
Build and edit forms with simple XML
  NEXT
Dashboard examples

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters