Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Simple XML Reference

Dashboards and forms

dashboard

<dashboard>

Root element of a view containing a series of rows, each of which can display up to three panels.

<dashboard>
  <label> (0..1)
  <description> (0..1)
  <row> (1..n)
    <chart> |  <event> | <html> | <list> | <single> | <table> (1..n)
Attributes
Name Type Default Description
isVisible Boolean
True
Specifies whether the dashboard is listed in the system list of views.
onunloadCancelJobs Boolean Specifies whether to cancel search jobs when navigating away from a dashboard.
refresh Integer
0
Sets the refresh interval, in seconds. Dashboard reloads after the specified refresh interval.
script String Comma-separated list of custom JavaScript files to load.
stylesheet Text Comma-separated list of custom stylesheets to use for the dashboard.
Example
<dashboard>
  <label>Data inputs</label>
  <description>Listing of data inputs</description>
  <row>
    <chart>
      <searchName>My saved report</searchName>
    </chart>
   </row>
</dashboard>

form

<form>

A form is a top-level element that implements a dashboard with an interface to supply values for one or more search terms used in the dashboard.

The <searchTemplate> tag defines the required search for a form. You can specify the <searchTemplate> as global to all panels within the form, or within a panel of the form. If specified as global and within a panel, the panel ignores the global <searchTemplate>.

<form>
  <label> (0..1)
  <description> (0..1)
  <searchTemplate> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fieldset> (1)
    <input> (1..n)
  <row> (1..n)
    <chart> |  <event> | <html> | <list> | <map> | <single> | <table> (1..n)
      <searchTemplate> (0..1)
Attributes
Name Type Default Description
isVisible Boolean
True
Specifies whether the dashboard is listed in the system list of views.
onUnloadCancelJobs Boolean Specifies whether to cancel search jobs when navigating away from a dashboard.
refresh Integer
0
Sets the refresh interval, in seconds. Dashboard reloads after the specified refresh interval.
script String Comma-separated list of custom JavaScript files to load.
stylesheet Text Comma-separated list of custom stylesheets to use for the dashboard.
Example
<form>
  <label>Username</label>
  <description>Last 100 users logged in during the last seven days</description>  
  <searchTemplate>sourcetype=logins $username$</searchTemplate>
  <earliestTime>-7d</earliestTime>
  <latestTime>-0d</latestTime>    

  <fieldset>
      <input type="text" token="username" />
  </fieldset>
  
  <row>
     <event>
       <option name="count">100</option>
      </event>
   </row>
</form>

row

<row>

A container for displaying one or more panels in a horizontal layout of a dashboard or form. Splunk does not enforce a limit on the number of panels you can place in a row.

Parent elements
<dashboard> | <form>
<row grouping="i[,j]...">
  <chart> |  <event> | <html> | <list> | <map> | <single> | <table> (1..n)
Attributes
Name Type Default Description
grouping comma-separated list of integers No
grouping
Sets the grouping for the panels in a row according to a comma-separated list of numbers representing the panels to be grouped. When you group panels, the visualization for each grouped panel is placed in a container. With one exception, you can consider the containers as columns for the panel visualizations. Visualizations are placed one above the other in the container. If the grouping contains only visualizations of type <single>, the visualizations are placed side-by-side.

The first number in a grouping configures a group for the initial number of panels specified for that group. Subsequent numbers in the list similarly form a group for the next set of panels.

For example, suppose you have a row with 6 visualizations. Specify the following grouping:

<row grouping="2,1,3">

This creates a container with the first two panels, a second container with one visualization, and a third container with the last three panels grouped.

Example
<dashboard>
 <label>My dashboard</label>
  <row grouping="2,2">
   <!-- First grouped container, grouped as a column  -->
   <single>. . .</single>
   <list>. . .</list>

   <!-- Second grouped container, grouped as a column  -->
   <single>. . .</single>
   <table>. . .</table>
  </row>
</dashboard>

label

<label>

Header text for a dashboard or form

Parent element
<dashboard> | <form>
<label>[text]</label> (0..1)
Example
<dashboard>
  <label>Event count for different sourcetypes</label>
  . . .
</dashboard>

description

<description>

Text that appears beneath the label of a dashboard or form.

Parent element
<dashboard> | <form>
<description>[text]</description> (0..1)
Example
<dashboard>
  <label>Event count for different sourcetypes</label>
  <description>Listing of common source types</description>
  . . .
</dashboard>

Form inputs

fieldset

<fieldset>

Defines the input elements to a form

Attributes
Name Type Default Description
autoRun Boolean
False
Indicates whether to run the search when the page loads.
submitButton Boolean
True
Indicates whether to display a Submit button.
Parent element
<form>
<fieldset autoRun="[Boolean]" submitButton="[Boolean]">
  <html> (0..n)
  <input type="[input type]" token="[search token]"> (1..n)
    <label> (0..1)
    <default> (0..1)
    <prefix> (0..1)
    <seed> (0..1)
    <suffix> (0..1)
    <populatingSearch> | <populatingSavedSearch> (0..1)
Example
<fieldset autoRun="true" submitButton="false">
  <input type="text" token="series">
    <label>sourcetype</label>
    <default></default>
    <seed>splunkd</seed>
    <suffix>*</suffix>
  </input>
</fieldset>


input (dropdown)

<input type="dropdown">

Defines a dropdown input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean Specifies to run the search upon a new selection.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="dropdown" token="[search token]"> (1..n)
  <choice> (0..n)
  <label> (0..1)
  <default> (0..1)
  <prefix> (0..1)
  <seed> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
<dropdown> child elements
element Type Default Description
<choice value=[value]> Text value: Required. Specifies the value to use for the choice.

Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value.

<default> Attribute value Specifies a default value for an input element.
<label> Text Text displayed with the input element.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

String fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of a <dropdown> or <radio> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<prefix> String String prefixed to the value of the input element. Can be a regular expression.
<seed> Attribute value The initial value of the input element. Can be specified by a value returned from a populating search.
<suffix> String String appended to the value of the input element. Can be a regular expression.
Example
<fieldset>
  <input type="dropdown" token="series">
    <choice value="*">Any</choice>
    <label>Select series</label>
    <populatingSearch fieldForValue="series" fieldForLabel="series">
      <![CDATA[index=_internal source=*metrics.log group="per_sourcetype_thruput" | top series]]>
    </populatingSearch>
  </input>
</fieldset>

input (radio)

<input type="radio">

Defines radio input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean Specifies to run the search upon a new selection.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="radio" token="[search token]"> (1..n)
  <choice> (0..n)
  <label> (0..1)
  <default> (0..1)
  <prefix> (0..1)
  <seed> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
<radio> child elements
element Type Default Description
<choice value=[value]> Text value: Required. Specifies the value to use for the choice.

Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value.

<default> Attribute value Specifies a default value for an input element.
<label> Text Text displayed with the input element.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

String fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of a <dropdown> or <radio> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<prefix> String String prefixed to the value of the input element. Can be a regular expression.
<seed> Attribute value The initial value of the input element. Can be specified by a value returned from a populating search.
<suffix> String String appended to the value of the input element. Can be a regular expression.
Example
<fieldset>
  <input type="radio" token="from" searchWhenChanged="true"> 
    <label>Select from address</label> 
    <choice value="*">Any</choice> 
    <populatingSearch fieldForValue="from" fieldForLabel="from"> 
      <![CDATA[index=sample | top from | stats count by from]]> 
    </populatingSearch> 
  </input> 
</fieldset>

input (text)

<input type="text>

Defines the type of input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean Specifies to run the search when new text is entered.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<text> child elements
element Type Default Description
<default> Attribute value Specifies a default value for an input element.
<label> Text Text displayed with the input element.
<prefix> String String prefixed to the value of the input element. Can be a regular expression.
<seed> Attribute value The initial value of the input element. Can be specified by a value returned from a populating search.
<suffix> String String appended to the value of the input element. Can be a regular expression.
<input type="text" token="[search token]"> (1)
  <label> (0..1)
  <default> (0..1)
  <seed> (0..1)
  <prefix> (0..1)
  <suffix> (0..1)
Example
<fieldset>
  <input type="text" token="series">
    <label>sourcetype</label>
    <default></default>
    <seed>splunkd</seed>
    <suffix>*</suffix>
  </input>
</fieldset>

input (time)

<input type="time">

Specifies a time picker input to a form.

You can use tokens to specify more than one time range picker, and associate them with individual panels. This requires JavaScript and CSS to associate and place the time pickers in the panels.

Attributes
Name Type Default Description
token text Use tokens to associate a time picker with a panel.

This attribute requires JavaScript and CSS to make the association and placement within the panel.

searchWhenChanged Boolean Specifies to run the search upon a new selection.
Parent element
<fieldset>
<input type="time" [ token="[text]" ] [ searchWhenChanged="[true|false]" ]> (0..n)
  <label> (0..1)
  <default> (0..1)
    [time preset] (0..1) |
    <earliestTime> (0..1)
    <latestTime> (0..1)
  </default>
element Type Default Description
<default> Text

or

Time modifier

Specifies a default value for an input element.

You can specify either a preset value, as listed in times.conf,

or

the <earliestTime> and <latestTime> for a custom default time range. Use relative time modifiers for the custom time values, as described in Time modifiers for search.

<label> Text Text displayed with the input element.
Example
<fieldset>
  <input type="time">
  </input>
</fieldset>
Example
<form script="timerange_panels.js" stylesheet="timerange_panels.css">
. . .
<fieldset>
  <input type="time" token="time1">
    <default>Last 15 minutes</default>
  </input>
  <input type="time" token="time2">
    <default>Last 60 minutes</default>
  </input>
</fieldset>



populatingSavedSearch

<populatingSavedSearch>

A search from a report to populate the possible values of a <dropdown> or <radio> input element.

Attributes
Name Type Default Description
fieldForLabel Field name Required: The field to use for the label of the list of generated values from the search.
fieldForValue Field name Required. The field to use for the value of the generated values from the search.
Parent elements
<input type="radio"> | <input type="dropdown">
<populatingSavedSearch fieldForValue="[field name]" fieldForLabel="[field name]"> 
    [report name]
</populatingSavedSearch> 
Examples
<fieldset> 
  <input type="radio" token="from" searchWhenChanged="true"> 
    <label>Select from address</label> 
    <choice value="*">Any</choice> 
    <populatingSavedSearch fieldForValue="from" fieldForLabel="from"> 
      MyReport 
    </populatingSavedSearch> 
  </input>

  <input type="dropdown" token="series"> 
    <label>Select series</label> 
    <populatingSavedSearch fieldForValue="series" fieldForLabel="series"> 
      MyMetricsReport 
    </populatingSavedSearch> 
    <choice value="*">Any</choice> 
  </input> 
</fieldset>

populatingSearch

<populatingSearch>

An inline search to populate the possible values of a <dropdown> or <radio> input element.

Attributes
Name Type Default Description
fieldForLabel Field name Required: The field to use for the label of the list of generated values from the search.
fieldForValue Field name Required. The field to use for the value of the generated values from the search.
earliest Time modifier Restrict search results to a specific time window, specifying one or both of earliest and latest. For example, specify earliest="-7d" latest="-1d". Specify rt to enable real-time searches. See Specify time modifiers in your search for information on time modifiers.
latest Time modifier Restrict search results to a specific time window. See description for earliest.
Parent elements
<input type="radio"> | <input type="dropdown">
<populatingSearch
  fieldForValue="[field name]" fieldForLabel="[field name]"
  earliest="[timeformat]" latest="[timeformat]"> 
    [inline search]
</populatingSearch> 
Examples
<fieldset> 
  <input type="radio" token="from" searchWhenChanged="true"> 
    <label>Select from address</label> 
    <choice value="*">Any</choice> 
    <populatingSearch fieldForValue="from" fieldForLabel="from"> 
      <![CDATA[index=sample | top from | stats count by from]]> 
    </populatingSearch> 
  </input>

  <input type="dropdown" token="series"> 
    <label>Select series</label> 
    <populatingSearch fieldForValue="series" fieldForLabel="series"> 
      <![CDATA[index=_internal source=*metrics.log group="per_sourcetype_thruput" | top series]]> 
    </populatingSearch> 
    <choice value="*">Any</choice> 
  </input> 
</fieldset>

Panel visualization elements

chart

<chart>

A panel displaying search data in chart format. Saved reports contain chart formatting parameters. Saved searches, on the other hand, do not. For more information, see "Save reports and share them with others."

When you load a saved report in the chart panel, your saved report format is also loaded. However, chart formatting can be overridden inline using the chart options.

Charts use named options to specify chart-specific properties. This reference lists a few useful options. See the [Custom Chart Configuration Reference] for a complete list of chart options.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent element
<row>
<chart>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <drilldown> (0..n)
  <option name="[property]"> (0..n)
Options
property Type Default Description
charting.chart (area | bar | column | fillerGauge | line | markerGauge | pie | radialGauge | scatter)
column
Set the chart type.
charting.legend.placement (top | left | bottom | right | none)
right
Indicates the placement of the legend.
charting.*
All of the formatting options supported for chart. See the Custom Chart Reference for details.
height Number
Height, in pixels, of the chart.
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
Example

Example line chart panel using an inline search. It limits results to a specified time window and provides labels for the X and Y axes:

<chart>
  <title>Top five sourcetypes in the last week</title>
  <searchString>
    index=_internal source="*metrics.log" group=per_sourcetype_thruput
    | timechart sum(kb) by series
  </searchString>
  <earliestTime>-1w</earliestTime>
  <latestTime>-1d</latestTime>
  <option name="height">200px</option>
  <option name="charting.chart">line</option>
</chart>
Viz SimpleXML ref chart.png

event

<event>

A panel displaying search results as individual events.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent element
<row>
<event>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fields> (0..1)
  <option name="[property]"> (0..n)
Options
property Type Default Description
count Integer The maximum number of rows to display.
displayRowNumbers Boolean
False
(Deprecated) Use the attribute rowNumbers

Toggle display of row numbers.

entityName (events | results)
events
Toggle whether to show events or results. Events are individual events, while results are created by statistical operators.
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
list.drilldown (full | inner | outer | none)
full
Specifies how drilldown operates in the event listing:

full: Enables the entire entry for drilldown.

inner: Enables inner elements of the event listing for drilldown.

outer: Enables outer elements of the event listing for drilldown.

none: Disables drilldown.

list.wrap Boolean
true
Indicates whether to wrap the contents of the event listing.
maxLines Integer The maximum number of lines to display for each result/event.
raw.drilldown (full | inner | outer | none)
full
Specifies how drilldown operates in the raw event listing:

full: Enables the entire entry for drilldown.

inner: Enables inner elements of the event listing for drilldown.

outer: Enables outer elements of the event listing for drilldown.

none: Disables drilldown.

rowNumbers Boolean
False
Indicates whether to display row numbers.
segmentation (none | inner | outer | full)
none
Deprecated: Use list.drilldown or raw.drilldown instead.

Sets the segmentation of events displayed. This affects what you can click on within the event.

If you specify segmentation together with either list.drilldown or raw.drilldown, the value of segmentation is ignored.

showPager Boolean
True
Toggle pagination on or off.
softWrap Boolean Enables wrapping of events.
table.sortColumn text Specifies the column on which to sort for the table.
table.sortDirection (asc | desc)
asc
Indicates the sort direction for items in the table.
table.drilldown Boolean Indicates whether drilldown functionality is enabled for the table.
table.wrap Boolean Indicates whether text in the table wraps.
type (list | raw | table)
list
Indicates the format for displaying events.
Example
<event>
  <title>Event view</title>
  <searchString>changelist | head 1000 | dedup changelist</searchString>
  <fields>added deleted changed</fields>
  <option name="showPager">true</option>
  <option name="count">20</option>
  <option name="displayRowNumbers">false</option>
</event>

html

<html>

The HTML panel displays inline HTML. The panel interprets the entire contents between the HTML tags literally, displaying HTML formatted text in the panel.

Any relative link references, such as images, are relative to the current view location. The HTML panel does not accept any options.

Attributes
Name Type Default Description
id String Unique id for this panel
src String Specifies an HTML file to display in the HTML panel.

Place the HTML file in the following directory:

$SPLUNK_HOME/etc/apps/appname/appserver/static/
Parent elements
<row>
<html>
Example

HTML panel showing how to reference a local image:

<html>
  <h1>HTML Panel Example</h1>
  <p>The HTML panel displays inline HTML.</p>
  <p>
    The panel interpets the entire contents between the HTML tags literally, displaying
    HTML formatted text in the panel. The HTML panel does not accept any options.
  </p>
  <p>
    Any relative link references, such as images,
    are relative to the current view location. 
  </p>
  <p>
    For the following image in the Search app: <img src="/static/app/search/appIcon.png"/>
  </p>
  <p>Path to image: 
    <pre>$SPLUNK_HOME/apps/appserver/static/app/search/sppIcon.png
   HTML source:
<img src="/static/app/search/appIcon.png" /> 
 </p>

</html> </pre>

Viz SimpleXML ref html1.png

list

<list>

A panel displaying data in a list. Use this panel to display information from saved searches or search results.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent elements
<row>
<list>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
Property Type Default Description
labelField Field name (Required) The field name to use to generate labels for a list.
valueField Field name (Required) The name of the result field whose value should be displayed in the label part of the link list. Link lists are generally a combination of a descriptive label and a numeric count or other (value) field.
InitialSort Field name The initial field on which to sort.
initialSortDir (asc | desc)
asc
The direction to sort the results based on the initialSort field.
labelFieldSearch Search string The search string to generate when the user clicks on the label field. Requires labelFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
labelFieldTarget View name The view to target if the label field is set up to generate a clickable link that dispatches a search.
Example

Example list panel listing the sourcetype for errors, followed by host name for the error:

<list>
  <searchName>Errors in the last 24 hours</searchName>
  <option name="labelField">sourcetype</option>
  <option name="valueField">host</option>
</list>

map

<map>

Provides for mapping geographic coordinates as interactive markers on a world map. This visualization depends on results from the geostats search command.

Refer to geostats in the Splunk Search Reference for details on implementing a geostats search.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent element
<row>
<map>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
property Type Default Description
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
mapping.data.maxClusters Integer
100
The maximum number of clusters to render.

Caution: Setting this option to a large number of clusters can significantly degrade performance. Splunk recommends values below 1000.

mapping.fieldColors field:hexvalue,
. . .
A comma-separated map of field names to hexadecimal color values (0xRRGGBB) to define colors for specific series.
mapping.seriesColors hexvalue, . . .
Default*
A list of hexadecimal color values (0xRRGGBB) from which to sample colors for series with no specific colors assigned using the fieldColors property.
mapping.map.center (lat,long) The initial center point of the map. Latitude values can range from -85 to 85, with values outside of this range being clipped. Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it.
mapping.map.zoom Number The initial zoom level of the map.
mapping.map.fitBounds (south-lat,
west-long,
north-lat,
east-long)
The initial bounds to fit within the map view area. Latitude values can range from -85 to 85, with values outside of this range being clipped.

Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it.

Values assigned to this property effectively override any values assigned to the center or zoom properties.

Example to specify San Francisco Bay Area:

<option name="mapping.map.fitBounds">(37.5,-123,38,-122)</option>

mapping.tileLayer.url URL template
See description
The URL to use for requesting tiles, based on the following template:

http://(s).tile.openstreetmap.org/(z)/(x)/(y).png

mapping.tileLayer.subdomains [string,. . .]
[a,b,c]
A list of subdomains to distribute tile requests over. More subdomains allows more tiles to be requested simultaneously.

See example below.

mapping.tileLayer.minZoom Integer
0
The minimum zoom level of the tileset.
mapping.tileLayer.maxZoom Integer
7
The maximum zoom level of the tileset.

Use any non-negative integer to specify the maximum zoom level.

mapping.tileLayer.invertY Boolean
False
Whether to invert the y coordinate for tile requests. TMS servers use inverse y-axis numbering.
mapping.tileLayer.attribution String
See description
A copyright attribution to be displayed in the bottom right corner of the map. The default value:

Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA.

See example below.

mapping.markerLayer.markerOpacity Number
0.8
The opacity of the markers. Values can range from 0 (transparent) to 1 (opaque).
mapping.markerLayer.markerMinSize Number
10
The minimum size of the markers, in pixels.
mapping.markerLayer.markerMaxSize Number
50
The maximum size of the markers, in pixels.

* Default value for mapping.seriesColors: [0x6CB8CA,0xFAC61D,0xD85E3D,0x956E96,0xF7912C,0x9AC23C,0x5479AF,0x999755,0xDD87B0,0x65AA82, 0xA7D4DF,0xFCDD77,0xE89E8B,0xBFA8C0,0xFABD80,0xC2DA8A,0x98AFCF,0xC2C199,0xEBB7D0,0xA3CCB4, 0x416E79,0x967711,0x823825,0x59425A,0x94571A,0x5C7424,0x324969,0x5C5B33,0x85516A,0x3D664E]

mapping.data.maxClusters example

The following example sets the maximum number of clusters to 250:

<map>
   <option name="mapping.data.maxClusters">250</option>
</map>
mapping.fieldColors and mapping.seriesColors example

The following example configures the "foo" and "bar" fields to be red (0xFF0000) and green (0x00FF00), respectively, and configures all other fields to be blue (0x0000FF):

<map>
   <option name="mapping.fieldColors">{foo:0xFF0000,bar:0x00FF00}</option>
   <option name="mapping.seriesColors">[0x0000FF]</option>
</map>
mapping.map.fitBounds example

The following example initializes the map view to a boundary around San Francisco:

<map>
  <option name="mapping.map.fitBounds">
    (37.5,-123,38,-122)
  </option>
</map>
mapping.tileLayer.* example

The following example configures the client to request tiles from openstreetmap.org (this is the default configuration):

<map>
   <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
   <option name="mapping.tileLayer.subdomains">[a,b,c]</option>
   <option name="mapping.tileLayer.maxZoom">18</option>
   <option name="mapping.tileLayer.attribution">
     Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA.
   </option>
</map>
map example, using foursquare data

This example assumes you are indexing foursquare data as source foursquare. It produces the map depicted below.

<map>
  <title>Roma</title>
  <searchString>
    sourcetype=foursquare 
    | geostats latfield=checkin.geolat longfield=checkin.geolong count by checkin.user.gender
  </searchString>
  <option name="mapping.data.maxClusters">500</option>
  <option name="mapping.markerLayer.markerMaxSize">20</option>
  <option name="mapping.map.fitBounds">(41.3,12.7,41.5,12.8)</option>
  <option name="mapping.seriesColors">[0x0060DD]</option>
  <option name="mapping.map.zoom">4</option>
</map>
Viz ItalyMap3.png

single

<single>

A panel displaying the results of a search that return a single value. You can change the color of the panel by specifying a rangemap for the returned values.

Caution: If you specify a search that returns multiple values, the single value panel displays the value from either the first row or first column of returned search data.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent elements
<row>
<single>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
Property Type Default Description
additionalClass CSS class name An additional css class name to add to the result container.
afterLabel String Label to display after the result.
beforeLabel String Label to display before the result.
classField (classname | severe | high | elevated | guarded | low | None) Adds the value of the classField of the first result as an additional CSS class to the result container.

Specify a CSS class name or use one of the pre-defined classes: severe, high, elevated, guarded, low, None

field Field name
First field returned
The field to display
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
false
Show link buttons at the bottom of the panel.
linkFields (result | beforelabel | afterlabel | underlabel)

Comma-separated list
result
Set which part of the text in the single value to use as a link for drilldown. To link the result and both labels, set as:
result, beforelabel, afterlabel

Note: Both properties linkFields and linkSearch are required to enable drilldown. The property linkView is optional – use linkView to specify a target view other than Search for drilldown.

linkSearch Search string A valid complete search query to turn the result into a clickable link.

Note: Both properties linkFields and linkSearch are required to enable drilldown. The property linkView is optional – use linkView to specify a target view other than Search for drilldown.

linkView View name
(See description)
Specify which view to execute the linked search against for drilldown.

You can specify any view in which the app is located or any view which has global permission.

There is no default value for linkView. If you do not provide a value, then drilldown behavior is disabled.

underLabel String Label to display beneath the result.
Example

Example single value panel displaying before and after labels, and specifying a color range. The range map in the search specifies the values for each range. This panel uses the Splunk default colors for a range map.

<single>
  <searchString>
      index=_internal source="*splunkd.log" ( log_level=ERROR 
      OR log_level=WARN* OR log_level=FATAL 
      OR log_level=CRITICAL) | stats count as log_events 
      | rangemap field=log_events low=1-100 elevated=101-300 default=severe
  </searchString>
  <title>Log events</title>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="classField">range</option>
  <option name="afterLabel">total logging events</option>
  <option name="beforeLabel">Found</option>
</single>

Viz SimpleXML ref single.png

table

<table>

A panel displaying search data as a table.

Attributes
Name Type Default Description
id String Unique id for this panel
Parent element
<row>
<table>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fields> (0..1)
  <drilldown> (0..n)
  <format type="sparkline" field="[field name]"> (0..n)
  <option name="[property]"> (0..n)
Options
property Type Default Description
count Integer
10
The maximum number of rows to display.
dataOverlayMode (heatmap | highlow)
None
Indicates which type of overlay to display.
displayRowNumbers Boolean
True
Toggle display of row numbers.
drilldown (cell | row | none | off)
row
Enable drilldown on row or cell level, or disable drilldown.

none: disables drilldown but preserves hypertext styling.

off: disables drilldown and removes hypertext styling

link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
previewResults Boolean
True
Enable preview of results before the search is complete.
showPager Boolean
True
Toggle pagination on or off.
wrap Boolean
True
Enable wrapping of text in the results table.
Example

Example of a table panel using an inline search, displaying five rows, and disabling row numbers:

<table>
  <title>Top sourcetypes in the last 24 hours</title>
  <searchString>
    index=_internal group=per_sourcetype_thruput
    | chart sum(kb) by series | sort -sum(kb)
  </searchString>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="count">5</option>
  <option name="displayRowNumbers">0</option>
</table>
Viz SimpleXML ref table.png

Sparkline options

<format type="sparkline" field="[field name]">
Attributes
Name Type Default Description
field Field name Required. Specifies the field to which the sparkline is applied.
type String
sparkline
Required. sparkline is the only type supported. Specifies that a sparkline is being formated.

A set of formatting options that determines how sparklines display in tables. Sparkline options are only applicable to the <table> element. Specify a sparkline option using the <format> element within a <table> element.

Do not confuse the sparkline options here, which format a sparkline, with the sparkline function to the chart or stats search command. The formatting options listed here require a search that uses the sparkline() function. See Add sparklines to search results for information on implementing sparklines.

Caution: The sparkline options listed in this reference do not render when generating a PDF of a dashboard. Only the sparkline itself renders.

Parent elements
<table>
<table>
   <format type="sparkline" field=["field name]"> (0..n)
     <option name="[property name]"> (0..n)
Common options
Property Type Default Description
height CSS style
auto
Height of the chart. Specify any valid CSS width (for example, 1.5em, 20px).
tooltipPrefix text Text to place before each field displayed in a tooltip.
tooltipSuffix text Text to append to each field displayed in a tooltip.
type (bar | discrete | line)
line
Specifies the type of sparkline
Options for bar charts
Property Type Default Description
barSpacing Number Space between each bar, in pixels.
barWidth Number Width of each bar, in pixels.
colorMap See description Range map to map specific values to selected colors.

For example if you want all values of -2 to appear yellow, use colorMap: { '-2': '#ff0' }.

You can pass an array of values here instead of a mapping to specifiy a color for each individual bar. For example if your chart has three values 1,3,1 you can set colorMap=["red", "green", "blue"].

Options for discrete charts
Property Type Default Description
lineColor CSS style Used by line and discrete charts to specify the color of the line drawn as a CSS values string
lineHeight Number
30% of graph height
Height of each line, in pixels.
thresholdColor CSS color CSS color to use in combination with thresholdValue.
thresholdValue CSS color Draw values less than this using thresholdColor instead of lineColor
Options for line charts
Property Type Default Description
fillColor CSS color | false Specify the color to fill the area under the graph as a CSS value. Set to false to disable fill.
highlightLineColor CSS color
#f22
CSS color for the vertical line that appears through a value when moused over.

Set to null to disable.

highlightSpotColor CSS color
#f5f
Color for the spot that appears on a value when moused over.

Set to null to disable.

lineColor CSS style Used by line and discrete charts to specify the color of the line drawn as a CSS values string
lineWidth Number
1
line width, In pixels.
maxSpotColor CSS color CSS color of the marker displayed for the maximum value.

Set to false or an empty string to hide it.

minSpotColor CSS color CSS color of the marker displayed for the minimum value.

Set to false or an empty string to hide it.

normalRangeMax range (see description) With normalRangeMin, threshold values between which to draw a bar to denote the "normal" or expected range of values.

For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range.

normalRangeMin
range (see description)
With normalRangeMax, threshold values between which to draw a bar to denote the "normal" or expected range of values.

For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range.

spotColor CSS color CSS color of the final value marker.

Set to false or an empty string to hide it.

spotRadius Number
1.5
Radius, in pixels, of all spot markers.
valueSpots range (see description) Points on which to draw spots, and with which color. Accepts a range.

For example, to render green spots on all values less than 50 and red on values higher use {':49': 'green, '50:': 'red'}

width CSS style
auto
Width of the chart. Specify any valid CSS width (for example, 1.5em, 20px). This option does apply to bar and tristate type sparklines.
Example

Sparkline of type bar with a color map

<table>
  <title>Basic Sparkline Bar w/ Color Map</title>
  <!-- Set span for each sparkline datapoint to be 1 hour -->
  <searchString>
    index=_internal | chart count sparkline(count, 1h) as trend by sourcetype | sort -count
  </searchString>
  <earliestTime>-24h@h</earliestTime>
  <latestTime>now</latestTime>
  
  <!-- Set sparkline options here; make sure that field matches field name of the search results -->      
  <format type="sparkline" field="trend">
    <option name="type">bar</option>
    <option name="height">40px</option>
    <!-- Use colorMap to map specific values to selected colors -->      
    <option name="colorMap">
      <option name="2000:">#5379AF</option>
      <option name=":1999">#9ac23c</option>
    </option>
    <option name="barWidth">5px</option>
  </format>
</table>
Sparkline example.png

fields

<fields>

Comma-separated list of fields. Use the <fields> element to restrict searches to these fields.
The order of the fields in the comma-separated list determines the order of the columns in the table or event listing.

Parent elements
<event> <table>
<event> | <table>
  <fields> (0..1)
Example

Restrict the results of the search to the following fields: host, ip, username

. . .
<table>
  <title>Top users, five hours ago</title>
  <searchString>host=production | top users</searchString>
  <fields>host,ip,username</fields>
  <earliestTime>-10h</earliestTime>
  <latestTime>-5h</latestTime>
</table>
. . .

options

<option>

The <option> tag applies a specific property to an element, such as a panel element. Use the name attribute to specify the property.

Typically, named options apply to a specific panel. However some options can be applied to more than one panel.

Attribute
Name Type Default Description
name Property name (Required)

Specifies the name of the specific property.

The allowed values for <option> depends on the named property. Refer to the reference entry for each panel to see a list of named options and the allowed values.

Parent elements
<chart> <event> <list> <single> <table>
<chart> |  <event> | <html> | <list> | <single> | <table>
  . . . 
  <option name="[property]">[option value]</option> (0..n)
Example
<table>
  <title>Top sourcetypes in the last 24 hours</title>
  <searchString>
    index=_internal group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb)
  </searchString>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="count">5</option>
  <option name="displayRowNumbers">0</option>
</table>

Search elements for dashboards, forms, and panels

The following elements are available for use with <dashboard>, <form>, and panel elements. The description of each search element explains their usage.

The <searchPostProcess> element is a child of a panel element and requires that the parent <dashboard> or <form> element contain a base search.

earliestTime

<earliestTime>

Specifies the earliest time to include in a search. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

If specified as a child of a panel element, modifies the time for that panel. If specified for a dashboard or a form, modifies the search for the dashboard or form.

Parent elements
<form> | <dashboard>
<chart> <event><list> <single> <table>
<earliestTime>[time modifier]</earliestTime>
Example
<form>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>
  . . .
  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

latestTime

<latestTime>

Specifies the latest time to include in a search. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

If specified as a child of a panel element, modifies the time for that panel. If specified for a dashboard or a form, modifies the search for the dashboard or form.

Parent elements
<form> | <dashboard>
<chart> <event><list> <single> <table>
<latestTime>[time modifier]</latestTime>
Example
<form>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>
  . . .
  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

searchName

<searchName>

The name of a report containing the search used by a panel.

Parent elements
<chart> <event> <list><map> <single> <table>
<searchName>[report name]</searchName>
Example (panel)
<chart>
  <searchName>Splunk errors last 24 hours</searchName>
</chart>

searchString

<searchString>

The search used by a panel to display results.

Parent elements
<chart> <event> <list> <map> <single> <table>
Example (panel)
<table>
  <searchString>
      index="_internal" source="*metrics.log" group="pipeline" 
      | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) 
      |rename sum(cpu_seconds) as "Total CPU Seconds"
  </searchString>
  <title>High CPU processors</title>
  . . .
</table>
Example (form)
<form>
  <fieldset>
   <input type="text" token="sourcetype" />
  </fieldset>
  <searchString>
    index=_internal source=*metrics.log group=per_sourcetype_thruput
      series="$sourcetype$" | head 1000
  </searchString>  
  <row>
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
  </row>
</form>

searchPostProcess

<searchPostProcess>

Inline search string to process events or results from a base search within a panel. Typically, the base search is a transforming search

Caution: A post process search has an unconfigurable limit of 10,000 raw events that can be passed to it. Events in excess of this 10,000 event limit are not processed and silently ignored, resulting in incomplete data reported for the post process search.

Caution: Passing a large number of search results from a base search can cause a server time out. In this scenario, consider the following:

  • The number of results and fields returned from the base search.
  • The complexity of the post process operations on these results.

For more information on post process searches, see Use one search for a whole dashboard. This topic is in the advanced XML manual, but the principles apply to simple XML post process searches.

Parent elements
<chart> <event> <list> <single> <table>
<searchPostProcess>[search string]</searchPostProcess>
Example
<form>
  <fieldset>
      <input type="dropdown" token="reportTypeToken">
            <label>Select name</label>
            <default>Sourcetype</default>
            <choice value="index">Index</choice>
            <choice value="sourcetype">Sourcetype</choice>
            <choice value="source">Source</choice>
            <choice value="host">Host</choice>
        </input>
      <input type="time">
        <default>Last 4 hours</default>
      </input>
  </fieldset>
  
  <!-- Search that returns all of the data that requested by subsequent panels -->
  <searchTemplate>
    index=_internal source=*metrics.log group="per_$reportTypeToken$_thruput"
    | bin _time span=1m | stats count by series, eps, kb, kbps, _time
  </searchTemplate>
  
  <row>
      <table>
          <title>eps over time</title>
          <searchPostProcess>timechart avg(eps) by series</searchPostProcess>
      </table>
      <chart>
          <title>KB indexed over time</title>
          <searchPostProcess>timechart sum(kb) by series</searchPostProcess>
          <option name="height">300px</option>
          <option name="charting.chart">area</option>
          <option name="charting.chart.stackMode">stacked</option>
      </chart>
  </row>  
</form>

searchTemplate

<searchTemplate>

A base search for a form that uses $token$ to delimit tokens to be replaced with user input from the form.

<searchTemplate> can also be used with a <dashboard> or a panel.

Parent elements
<form>
<dashboard>
<chart> | <event> | <html> | <list> | <single> | <table>
Example
<form> 
  <label>Basic form search</label>  
  <fieldset> 
    <html> 
      <p> 
       Enter a sourcetype in the field below. 
      </p> 
    </html>    
     <!-- the default input type is a text box --> 
     <input token="sourcetype" /> 
  </fieldset> 
  <!-- search with replacement token delimited with $ --> 
  <searchTemplate> 
   index=_internal source=*metrics.log 
     group=per_sourcetype_thruput series="$sourcetype$" 
     | head 1000 
  </searchTemplate> 
  <row> 
    <!-- output the results as a 50 row events table --> 
    <table> 
     <title>Matching events</title> 
     <option name="count">50</option> 
    </table> 
  </row> 
</form>

Drilldown elements

drilldown

<drilldown>

Define custom destinations to link to when a user clicks on fields in a dashboard or form. Specify a path to the destination using the <link> tag.

For details see Dynamic drilldown in dashboards and forms.

Attributes
Name Type Default Description
target text
Specifies an HTML target for the drilldown. Specify "_blank" to open the drilldown in a new window.
Parent elements
<chart> <event> <list> <single> <table>
<drilldown>
  <link> (1..n)
Example 1: Pass a value to a form
<table>
<searchString>index=_internal</searchString>

<!-- Pass the clicked row's 'count'-column value    -->
<!-- to populate a destination form's 'foo' token. -->
<drilldown>
  <link>
  /app/search/simple_xml_form?form.foo=$row.count$
  </link>
</drilldown>
</table>
Example 2: Pass parameters to a form
<table>
<searchString>index=_internal</searchString>

<!-- Pass the clicked cell's value, earliest time, -->
<!-- and latest time to a destination form's       -->
<!-- token ('foo') and search parameters           -->
<drilldown>
  <link>
  <![CDATA[
/app/search/simple_xml_form?form.foo=$click.value2$&earliest=$earliest$&latest=$latest$
  ]]>
  </link>
</drilldown>
</table>
Example 3: Pass a value from a chart to a website
<chart>
  <searchString>
    index=_internal | chart count by sourcetype
  </searchString>
  <option name="charting.chart">column</option>

  <!-- $click.value$ captures the value clicked by the user -->
  <!-- From the X-axis of a column chart and passes         -->
  <!-- it to the website as a query parameter               -->
  <drilldown>          
    <link>
      http://splunk-base.splunk.com/integrated_search/?q=$click.value$
    </link>
  </drilldown>
</chart>

link

<link>

Specifies a destination for the <drilldown> tag.

There are various ways to specify a destination for the drilldown using relative paths or a URL, as described below

Attributes
Name Type Default Description
field Field name Specifies which values to capture in a table from the specified column or row.
series Series name Specifies which values to capture in a chart from the specified specified series.
Parent element

<drilldown>

1) <link> [path/viewname] </link>
2) <link> [path/viewname?form.token=$dest_value$] </link>
3) <link> [path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$] </link>
4) <link> [URL?q=$dest_value$] </link>

  1. Relative path to connect to a dashboard.
  2. Relative path to connect to a form, passing in a token to populate the form.
  3. Pass in the earliest and latest time range from the original search.
    (Requires use of CDATA to escape special characters.)
  4. URL and query argument to pass a value to the destination page

Path values Description
path A path to the destination view from the current view. Typically, you specify path as: /app/app_name/

However, you can also specify a relative path, based on the app context of the source and destination views.

viewname The name of the Splunk view you are using for a destination.
$dest_value$ Specifies how to capture a value from a table or chart. See below for details.
URL Specify a URL to a web page. Use the full address, including the protocol. For example: http://.
q When specifying a URL, use q to specify the value of dest_value in a query string to a web resource.

There are various ways you can specify dest_value to indicate the value to capture from the table or chart.

dest_value Description
click.name

click.name2

For use with tables.

click.name: The value in a table row. Returns the value from the first column in the row.
click.name2: The value in a table column. Returns the value of the selected column in a row.

Note: For multivalue fields in a table, use click.value2. See Dashboard linking to a multivalue field example.

click.value

click.value2

For use with charts.

For all charts, except Bar charts:
click.value: The value on the X-axis
click.value2: The value on the Y-axis
(for Bar charts, these values are reversed)

Note: Multivalue fields in a table also use click.value2. See Dashboard linking to a multivalue field example.

form.token token specifies the token accepted as input by the target form. Use as a parameter to URL for the target form.

For example, you can populate a target form's form element that has a src token with the value of the src token of the source form's form element. Add the following parameter to the URL for the target form:

&form.src=$form.src$

earliest

latest

Pass the earliest and latest times to a search to the driildown target. Use as parameters to URL for the target view.

For example, add:

&earliest=$earliest$&latest=$latest$ 

to the drilldown target view URL. Use CDATA to escape the '&' in the parameters.

row.fieldname For use with tables.

Specifies the field from the selected row or column from which to capture the value.

Example

See examples above for the <drilldown> tag.

PREVIOUS
Chart customization
  NEXT
Chart Configuration Reference

This documentation applies to the following versions of Splunk® Enterprise: 6.0


Comments

Mike, thanks for your suggestion. I forwarded your suggestion to the dev team for consideration. One response from the dev team is that there may be easier ways to leverage the search syntax to achieve similar results.

Vgenovese
October 16, 2013

Would it be possible to include support for regular expressions in mapping.fieldColors? I.e. instead of "Up:0xRRGGBB,Down:0xRR00FF", I could have "^.+ : Up$" and "^.+ : Down$" if I'd like to have let's say multiple fields returned to indicate location names + status (Up or Down) and I would like to color Up green and Down red but still show the location name

Mikaelbje
October 16, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters