Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Simple XML Reference

Dashboards and forms

dashboard

<dashboard>

Root element of a view containing a series of rows, each of which can display one or more panels.

<dashboard>
  <label> (0..1)
  <description> (0..1)
  <row> (1..n)
    <panel> (0..n)
      <chart> |  <event> | <html> | <list> | <single> | <table> (1..n)
Attributes
Name Type Default Description
isDashboard Boolean
True
Specifies whether the dashboard is listed in the system list of views.

Equivalent to the attribute isVisible.

isVisible Boolean
True
Specifies whether the dashboard is listed in the system list of views.
onunloadCancelJobs Boolean Specifies whether to cancel search jobs when navigating away from a dashboard.
refresh Integer
0
Sets the refresh interval, in seconds. Dashboard reloads after the specified refresh interval.
script String Comma-separated list of custom JavaScript files to load. The files must be in the following location. The files cannot be in a subdirectory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/

To reference the custom JavaScript files from another app, specify the the app name when referencing the file as follows:

<dashboard script="myApp:myScript.js">
stylesheet text Specifies the stylesheet to use for the dashboard. The stylesheet file must be in the following location. The files cannot be in a subdirectory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/

To reference a custom stylesheet file from another app, specify the the app name when referencing the file as follows:

<dashboard script="myApp:myStyles.css">
Example
<dashboard script="myScript.js, myScript2.js" stylesheet="myLocalStyles.css, myApp:myAppStyles.css">
  <label>Data inputs</label>
  <description>Listing of data inputs</description>
  <row>
    <panel>
      <chart>
        <searchName>My saved report</searchName>
      </chart>
    </panel>
  </row>
</dashboard>

form

<form>

A form is a top-level element that implements a dashboard with an interface to supply values for one or more search terms used in the dashboard.

The <searchTemplate> tag defines the required search for a form. You can specify the <searchTemplate> as global to all panels within the form, or within a panel of the form. If specified as global and within a panel, the panel ignores the global <searchTemplate>.

<form>
  <label> (0..1)
  <description> (0..1)
  <searchTemplate> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fieldset> (1)
    <input> (1..n)
  <row> (1..n)
    <chart> |  <event> | <html> | <list> | <map> | <single> | <table> (1..n)
      <searchTemplate> (0..1)
Attributes
Name Type Default Description
isVisible Boolean
True
Specifies whether the dashboard is listed in the system list of views.
onUnloadCancelJobs Boolean Specifies whether to cancel search jobs when navigating away from a dashboard.
refresh Integer
0
Sets the refresh interval, in seconds. Dashboard reloads after the specified refresh interval.
script String Comma-separated list of custom JavaScript files to load. The files must be in the following location. The files cannot be in a subdirectory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/

To reference the custom JavaScript files from another app, specify the the app name when referencing the file as follows:

<form script="myApp:myScript.js">
stylesheet Text Specifies the stylesheet to use for the form. The stylesheet file must be in the following location. The files cannot be in a subdirectory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/

To reference a custom stylesheet file from another app, specify the the app name when referencing the file as follows. The files cannot be in a subdirectory.

<form script="myApp:myStyles.css">
Example
<form script="myLocalScript.js, myApp:myAppScript.js" stylesheet="myStyles.css, myStyles2.css">

  <label>Username</label>
  <description>Last 100 users logged in during the last seven days</description>  
  <searchTemplate>sourcetype=logins $username$</searchTemplate>
  <earliestTime>-7d</earliestTime>
  <latestTime>-0d</latestTime>    

  <fieldset>
      <input type="text" token="username" />
  </fieldset>
  
  <row>
    <panel>
      <event>
        <option name="count">100</option>
       </event>
    </panel>
  </row>
</form>

panel

<panel>

A container to display and group one or more panel visualization elements.

The panel element is optional, but is useful for grouping visualization elements. Two or more visualization elements in a panel group vertically in a panel. The exception is the single visualization element. Two or more single elements group horizontally.

You can also use the grouping attribute of the <row> element to group visualizations.

Parent elements
<dashboard> | <form>
<row>
  <panel> (0..n)
    <chart> |  <event> | <html> | <list> | <map> | <single> | <table> (1..n)
Attributes

No attributes for <panel>

Example

Grouping of chart visualizations and single value visualizations using the <panel> element.

<dashboard>
  <label>Panel Grouping Example</label>
  <description/>
  <row>
    <panel>
      <chart>
        <title>Chart grouping</title>
        <searchString>
          index=_internal source="*splunkd.log"
          ( log_level=ERROR OR log_level=WARN*
          OR log_level=FATAL OR log_level=CRITICAL )
          | stats count as log_events
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.chart">radialGauge</option>
      </chart>
      <chart>
        <searchString>
          index=_internal source="*splunkd.log"
          ( log_level=ERROR OR log_level=WARN*
          OR log_level=FATAL OR log_level=CRITICAL )
          | stats count as log_events
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.chart">markerGauge</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>Single value grouping</title>
         <searchString>
          index=_internal source="*splunkd.log"
          ( log_level=ERROR OR log_level=WARN*
          OR log_level=FATAL OR log_level=CRITICAL )
          | stats count as log_events
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="beforeLabel">Found</option>
        <option name="afterLabel">errors</option>
      </single>
      <single>
        <searchString>
          index=_internal source="*splunkd.log"
          ( log_level=ERROR OR log_level=WARN*
          OR log_level=FATAL OR log_level=CRITICAL )
          | stats count as log_events
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="beforeLabel">Found</option>
        <option name="afterLabel">errors</option>
      </single>
    </panel>
  </row>
</dashboard>
Viz PanelGroupExample.png

row

<row>

A container for displaying one or more visualization elements in a horizontal layout of a dashboard or form. Typically, you group visualization elements in a <panel> element. However, the <panel> element is optional.

Use the grouping attribute to configure the arrangement of the visualization elements. You can also use the <panel> element to group visualizations.

Parent elements
<dashboard> | <form>
<row grouping="i[,j]...">
  <panel> (0..n)
    <chart> |  <event> | <html> | <list> | <map> | <single> | <table> (1..n)
Attributes
Name Type Default Description
grouping comma-separated list of integers No
grouping
Sets the grouping for the panels in a row according to a comma-separated list of numbers representing the panels to be grouped. When you group panels, the visualization for each grouped panel is placed in a container. With one exception, you can consider the containers as columns for the panel visualizations. Visualizations are placed one above the other in the container. If the grouping contains only visualizations of type <single>, the visualizations are placed side-by-side.

The first number in a grouping configures a group for the initial number of panels specified for that group. Subsequent numbers in the list similarly form a group for the next set of panels.

For example, suppose you have a row with 6 visualizations. Specify the following grouping:

<row grouping="2,1,3">

This creates a container with the first two panels, a second container with one visualization, and a third container with the last three panels grouped.

Example
<dashboard>
 <label>My dashboard</label>
  <row grouping="2,2">
   <!-- First grouped container, grouped as a column  -->
   <single>. . .</single>
   <list>. . .</list>

   <!-- Second grouped container, grouped as a column  -->
   <single>. . .</single>
   <table>. . .</table>
  </row>
</dashboard>

label

<label>

Header text for a dashboard or form

Parent element
<dashboard> | <form>
<label>[text]</label> (0..1)
Example
<dashboard>
  <label>Event count for different sourcetypes</label>
  . . .
</dashboard>

description

<description>

Text that appears beneath the label of a dashboard or form.

Parent element
<dashboard> | <form>
<description>[text]</description> (0..1)
Example
<dashboard>
  <label>Event count for different sourcetypes</label>
  <description>Listing of common source types</description>
  . . .
</dashboard>

Form inputs

fieldset

<fieldset>

Defines the input elements to a form

Attributes
Name Type Default Description
autoRun Boolean
False
Indicates whether to run the search when the page loads.
submitButton Boolean
True
Indicates whether to display a Submit button.
Parent element
<form>
<fieldset autoRun="[Boolean]" submitButton="[Boolean]">
  <html> (0..n)
  <input type="[input type]" token="[search token]"> (1..n)
    <label> (0..1)
    <default> (0..1)
    <prefix> (0..1)
    <seed> (0..1)
    <selectFirstChoice> (0..1)
    <suffix> (0..1)
    <populatingSearch> | <populatingSavedSearch> (0..1)
Example
<fieldset autoRun="true" submitButton="false">
  <input type="text" token="series">
    <label>sourcetype</label>
    <default></default>
    <seed>splunkd</seed>
    <suffix>*</suffix>
  </input>
</fieldset>


input (checkbox)

<input type="checkbox">

Defines a checkbox input to a forms.

Attributes
Name Type Default Description
searchWhenChanged Boolean False Specifies to run the search upon a new selection.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="checkbox" token="[search token]"> (1..n)
  <default> (0..1)
  <delimiter> (0..1)
  <label> (0..1)
  <prefix> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
  <valuePrefix> (0..1)
  <valueSuffix> (0..1)
<checkbox> child elements
element Type Default Description
<default> Attribute value Specifies a default value for an input element.
<delimiter> text A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case – do not specify the quote marks, but specify a space character before and after the text.
<label> text Text displayed with the input element.
<prefix> text String prefixed to the value of the input element. Can be a regular expression.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

text fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of the <multiselect> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<suffix> text String appended to the value of the input element. Can be a regular expression.
<valuePrefix> text String prefixed to the value of the input element. Can be a regular expression.
<valueSuffix> text String appended to the value of the input element. Can be a regular expression.
Example

This example produces the following string when a user selects One and Three from the multiselect:

("1*" AND "3*")
<fieldset>
  <input type="checkbox" token="mv5">
    <choice value="1">One</choice>
    <choice value="2">Two</choice>
    <choice value="3">Three</choice>
    <delimiter> AND </delimiter>
    <prefix>(</prefix>
    <suffix>)</suffix>
    <valuePrefix>"</valuePrefix>
    <valueSuffix>*"</valueSuffix>
  </input>
</fieldset>

input (dropdown)

<input type="dropdown">

Defines a dropdown input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean False Specifies to run the search upon a new selection.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="dropdown" token="[search token]"> (1..n)
  <choice> (0..n)
  <label> (0..1)
  <default> (0..1)
  <prefix> (0..1)
  <selectFirstChoice> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
<dropdown> child elements
element Type Default Description
<choice value=[value]> text value: Required. Specifies the value to use for the choice.

Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value.

<default> Attribute value Specifies a default value for an input element.
<label> text Text displayed with the input element.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

text fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of a <dropdown> or <radio> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<prefix> text String prefixed to the value of the input element. Can be a regular expression.
<selectFirstChoice> boolean
false
Indicates if the first item listed is the default item for the input. If a value for <default> is present, <selectFirstChoice> is ignored.
<suffix> String String appended to the value of the input element. Can be a regular expression.
Example
<fieldset>
  <input type="dropdown" token="series">
    <choice value="*">Any</choice>
    <label>Select series</label>
    <populatingSearch fieldForValue="series" fieldForLabel="series">
      <![CDATA[index=_internal source=*metrics.log group="per_sourcetype_thruput" | top series]]>
    </populatingSearch>
  </input>
</fieldset>

input (multiselect)

<input type="multiselect">

Defines an input to a form that accepts multiple choices. When a user selects the input, defined choices appear as a dropdown list. The user can also type directly in the input to filter the available choices.

Attributes
Name Type Default Description
searchWhenChanged Boolean False Specifies to run the search upon a new selection.
token text Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="multiselect" token="[search token]"> (1..n)
  <default> (0..1)
  <delimiter> (0..1)
  <label> (0..1)
  <prefix> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
  <valuePrefix> (0..1)
  <valueSuffix> (0..1)
<multiselect> child elements
element Type Default Description
<default> Attribute value Specifies a default value for an input element.
<delimiter> text A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case – do not specify the quote marks, but specify a space character before and after the text.


<label> text Text displayed with the input element.
<prefix> text String prefixed to the value of the input element. Can be a regular expression.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

text fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of the <multiselect> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<suffix> text String appended to the value of the input element. Can be a regular expression.
<valuePrefix> text String prefixed to the value of the input element. Can be a regular expression.
<valueSuffix> text String appended to the value of the input element. Can be a regular expression.
Example

This example produces the following string when a user selects One and Three from the multiselect:

("1*" AND "3*")
<fieldset>
  <input type="multiselect" token="mv5">
    <choice value="1">One</choice>
    <choice value="2">Two</choice>
    <choice value="3">Three</choice>
    <delimiter> AND </delimiter>
    <prefix>(</prefix>
    <suffix>)</suffix>
    <valuePrefix>"</valuePrefix>
    <valueSuffix>*"</valueSuffix>
  </input>
</fieldset>

input (radio)

<input type="radio">

Defines radio input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean False Specifies to run the search upon a new selection.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<input type="radio" token="[search token]"> (1..n)
  <choice> (0..n)
  <label> (0..1)
  <default> (0..1)
  <prefix> (0..1)
  <selectFirstChoice> (0..1)
  <populatingSearch> | <populatingSavedSearch> (0..1)
  <suffix> (0..1)
<radio> child elements
element Type Default Description
<choice value=[value]> text value: Required. Specifies the value to use for the choice.

Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value.

<default> Attribute value Specifies a default value for an input element.
<label> text Text displayed with the input element.
<populatingSavedSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]">

<populatingSearch
   fieldForLabel="[Field name]"
   fieldForValue="[Field name]"
   earliest="[timeformat]"
   latest="[timeformat]">

text fieldForLabel: Required.The field to use for the labels of the generated values from the search.

fieldForValue: Required. The field to use for the values of the generated values from the search.

Search to populate the possible values of a <dropdown> or <radio> input element.

<populatingSavedSearch> specifies a search from a report.

<populatingSearch> specifies an inline search.

<prefix> String String prefixed to the value of the input element. Can be a regular expression.
<selectFirstChoice> boolean
false
Indicates if the first item listed is the default item for the input. If a value for <default> is present, <selectFirstChoice> is ignored.
<suffix> String String appended to the value of the input element. Can be a regular expression.
Example
<fieldset>
  <input type="radio" token="from" searchWhenChanged="true"> 
    <label>Select from address</label> 
    <choice value="*">Any</choice> 
    <populatingSearch fieldForValue="from" fieldForLabel="from"> 
      <![CDATA[index=sample | top from | stats count by from]]> 
    </populatingSearch> 
  </input> 
</fieldset>

input (text)

<input type="text>

Defines the type of input to a form.

Attributes
Name Type Default Description
searchWhenChanged Boolean False Specifies to run the search when new text is entered.
token String Specifies which token in the search string to replace with the specified value.
Parent element
<fieldset>
<text> child elements
element Type Default Description
<default> Attribute value Specifies a default value for an input element.
<label> text Text displayed with the input element.
<prefix> String String prefixed to the value of the input element. Can be a regular expression.
<seed> Attribute value The initial value of the input element.
<suffix> String String appended to the value of the input element. Can be a regular expression.
<input type="text" token="[search token]"> (1)
  <label> (0..1)
  <default> (0..1)
  <seed> (0..1)
  <prefix> (0..1)
  <suffix> (0..1)
Example
<fieldset>
  <input type="text" token="series">
    <label>sourcetype</label>
    <default></default>
    <seed>splunkd</seed>
    <suffix>*</suffix>
  </input>
</fieldset>

input (time)

<input type="time">

Specifies a time picker input to a form.

Use tokens to specify more than one time range picker. If you do not specify a token for a time picker, the time picker becomes global. Any visualization that does not specify a time range, either through a reference to a time picker token or directly in code, applies the time range from the global time picker.

Attributes
Name Type Default Description
token text Use tokens to associate a time picker with a panel.

When referencing a time picker token, use the earliest and latest modifiers to the token to specify a time range. See the example below.

searchWhenChanged Boolean False Specifies to run the search upon a new selection.
Parent element
<fieldset>
<input type="time" [ token="[text]" ] [ searchWhenChanged="[true|false]" ]> (0..n)
  <label> (0..1)
  <default> (0..1)
    [time preset] (0..1) |
    <earliestTime> (0..1)
    <latestTime> (0..1)
  </default>
element Type Default Description
<default> text

or

time modifier

Specifies a default value for an input element.

You can specify either a preset value, as listed in times.conf,

or

the <earliestTime> and <latestTime> for a custom default time range.

See <earliestTime> and <latestTime> for details.

<label> text Text displayed with the input element.
Example

The default value for the time picker is set to the last seven days. The <chart> element in this example references the $time_tok$ token for the time picker. The chart updates with any new selected time range.

<form>
  <label>Form Input Example (Time)</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="source_tok" searchWhenChanged="true">
      <label>Select a source type</label>
      <choice value="*">All</choice>
      <populatingSearch earliest="-24h@h" latest="now"
            fieldForLabel="sourcetype" fieldForValue="sourcetype">
               index=_internal | stats count by sourcetype
      </populatingSearch>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <default>*</default>
    </input>
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label>Select time range</label>
      <default>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Source type count for last 7 days</title>
        <searchString>
          index=_internal $source_tok$ | timechart count
        </searchString>
        <earliestTime>$time_tok.earliest$</earliestTime>
        <latestTime>$time_tok.latest$</latestTime>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>



populatingSavedSearch

<populatingSavedSearch>

A search from a report to populate the labels and corresponding values for the options of the following inputs:

  • <checkbox>
  • <dropdown>
  • <multiselect>
  • <radio>

Caution: Do not use a real-time search for a populating search. The input choices do not update correctly when using a real-time search.

You can specify a populating saved search from Splunk Web in the Dynamic section of the Input Editor. See Specify choices with dynamic options for an example. The example is for an inline search, but the procedure is the same.

Attributes
Name Type Default Description
fieldForLabel Field name Required: The field to use for the label of the list of generated values from the search.
fieldForValue Field name Required. The field to use for the value of the generated values from the search.
Parent elements
<input type="radio"> | <input type="dropdown">
<populatingSavedSearch fieldForValue="[field name]" fieldForLabel="[field name]"> 
    [report name]
</populatingSavedSearch> 
Example

Populate a dropdown input with dynamically populated options for selecting the source type. See the corresponding example for <populatingSearch>.

<form>
  <label>Form Input Example (Populating Search)</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="source_tok" searchWhenChanged="true">
      <label>Select a source type</label>
      <choice value="*">All</choice>
      <populatingSearch earliest="-24h@h" latest="now"
            fieldForLabel="sourcetype" fieldForValue="sourcetype">
               myReport
      </populatingSearch>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Source type count for last 7 days</title>
        <searchString>
          index=_internal $source_tok$ | timechart count
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

populatingSearch

<populatingSearch>

An inline search to populate the labels and corresponding values for the options of the following inputs:

  • <checkbox>
  • <dropdown>
  • <multiselect>
  • <radio>

Caution: Do not use a real-time search for a populating search. The input choices do not update correctly when using a real-time search.

You can specify a populating search from Splunk Web in the Dynamic section of the Input Editor. See Specify choices with dynamic options for an example.

Attributes
Name Type Default Description
fieldForLabel Field name Required: The field to use for the label of the list of generated values from the populating search.
fieldForValue Field name Required. The field to use for the value of the generated values from the populating search.
earliest
latest
Time modifier Restrict search results to a specific time window, specifying one or both of earliest and latest. For example, specify earliest="-7d" latest="-1d". Specify rt to enable real-time searches. See <earliestTime> and <latestTime> for details on specifying time modifiers.
Parent elements
<input type="radio"> | <input type="dropdown">
<populatingSearch
  fieldForValue="[field name]" fieldForLabel="[field name]"
  earliest="[timeformat]" latest="[timeformat]"> 
    [inline search]
</populatingSearch> 
Example

Populate a dropdown input with dynamically populated options for selecting the source type.

<form>
  <label>Form Input Example (Populating Search)</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="source_tok" searchWhenChanged="true">
      <label>Select a source type</label>
      <choice value="*">All</choice>
      <populatingSearch earliest="-24h@h" latest="now"
            fieldForLabel="sourcetype" fieldForValue="sourcetype">
               index=_internal | stats count by sourcetype
      </populatingSearch>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Source type count for last 7 days</title>
        <searchString>
          index=_internal $source_tok$ | timechart count
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

Viz pop search example.png  Viz pop search example2.png

Panel visualization elements

chart

<chart>

A panel displaying search data in chart format. The search driving the panel can be an inline search or a saved report, which contains chart formatting parameters. For more information on saving reports, see Create and edit reports.

When you load a saved report in the chart panel, your saved report format is also loaded. However, chart formatting can be overridden inline using the chart options.

Charts use named options to specify chart-specific properties. This reference lists the basic panel options for charts. See the Chart Configuration Reference for a complete list of chart options.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id text Unique id for this panel
rejects comma-separated
list of tokens
Tokens in this list must be defined to prevent this visualization from being rendered for in-page drilldown.
Parent element
<row>
<chart>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <drilldown> (0..n)
  <selection> (0..n, for charts of type area, line, and column only)
  <option name="[property]"> (0..n)
Options
property Type Default Description
charting.chart (area | bar | column | fillerGauge | line | markerGauge | pie | radialGauge | scatter)
column
Set the chart type.
charting.legend.placement (top | left | bottom | right | none)
right
Indicates the placement of the legend.
charting.*
All of the formatting options supported for chart. See the Custom Chart Reference for details.
drilldown (all | none)
Deprecated. Use charting.drilldown, which is documented in General Chart Properties of the Chart Configuration Reference.
height Number
Height, in pixels, of the chart.
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openPivot.visible Boolean
(See description)
Show the Open in Pivot button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval. To disable panel refresh, specify 0 (or a negative integer).
refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
true
Display the refresh link in the panel.
Example

Example line chart panel using an inline search. It limits results to a specified time window and provides labels for the X and Y axes:

<chart>
  <title>Top five sourcetypes in the last week</title>
  <searchString>
    index=_internal source="*metrics.log" group=per_sourcetype_thruput
    | timechart sum(kb) by series
  </searchString>
  <earliestTime>-1w</earliestTime>
  <latestTime>-1d</latestTime>
  <option name="height">200px</option>
  <option name="charting.chart">line</option>
</chart>
Viz SimpleXML ref chart.png

event

<event>

A panel displaying search results as individual events.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown.

You can specify one or more tokens.

id String Unique id for this panel
rejects comma-separated
list of tokens
Tokens in this list must be defined to prevent this visualization from being rendered for in-page drilldown.
Parent element
<row>
<event>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fields> (0..1)
  <option name="[property]"> (0..n)
Options
property Type Default Description
count Integer The maximum number of rows to display.
displayRowNumbers Boolean
False
(Deprecated) Use the attribute rowNumbers

Toggle display of row numbers.

drilldown (all | none)
all
Enables (or disables) all type-specific drilldowns (list.drilldown, table.drilldown, raw.drilldown).

Type-specific drilldown options override what is set here.

all: Drilldown is enabled.
none: Drilldown is disabled.

entityName (events | results)
events
Toggle whether to show events or results.

Events are individual events, while results are created by statistical operators.

link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openPivot.visible Boolean
(See description)
Show the Open in Pivot button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers.
See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers.
See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
list.drilldown (full | inner | outer | none)
full
Specifies how drilldown operates in the event listing:

full: Enables the entire entry for drilldown.

inner: Enables inner elements of the event listing for drilldown.

outer: Enables outer elements of the event listing for drilldown.

none: Disables drilldown.

list.wrap Boolean
true
Indicates whether to wrap the contents of the event listing.
maxLines Integer The maximum number of lines to display for each result/event.
raw.drilldown (full | inner | outer | none)
full
Specifies how drilldown operates in the raw event listing:

full: Enables the entire entry for drilldown.

inner: Enables inner elements of the event listing for drilldown.

outer: Enables outer elements of the event listing for drilldown.

none: Disables drilldown.

refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval.

To disable panel refresh, specify 0 (or a negative integer).

refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
true
Display the refresh link in the panel.
rowNumbers Boolean
False
Indicates whether to display row numbers.
segmentation (none | inner | outer | full)
none
Deprecated: Use list.drilldown or raw.drilldown instead.

Sets the segmentation of events displayed.
This affects what you can click on within the event.

If you specify segmentation together with either list.drilldown or raw.drilldown,
the value of segmentation is ignored.

showPager Boolean
True
Toggle pagination on or off.
softWrap Boolean Enables wrapping of events.
table.sortColumn text Specifies the column on which to sort for the table.
table.sortDirection (asc | desc)
asc
Indicates the sort direction for items in the table.
table.drilldown (all | none) all Indicates whether drilldown functionality is enabled for the table.

all: Drilldown is enabled.
none: Drilldown is disabled.

table.wrap Boolean Indicates whether text in the table wraps.
type (list | raw | table)
list
Indicates the format for displaying events.
Example
<event>
  <title>Event view</title>
  <searchString>changelist | head 1000 | dedup changelist</searchString>
  <fields>added deleted changed</fields>
  <option name="showPager">true</option>
  <option name="count">20</option>
  <option name="rowNumbers">false</option>
</event>

html

<html>

The HTML panel displays inline HTML. The panel interprets the entire contents between the HTML tags literally, displaying HTML formatted text in the panel.

Any relative link references, such as images, are relative to the current view location. The HTML panel does not accept any options.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id String Unique id for this panel
rejects comma-separated
list of tokens
Tokens in this list must be defined to prevent this visualization from being rendered for in-page drilldown.
src String Specifies an HTML file to display in the HTML panel.

Place the HTML file in the following directory:

$SPLUNK_HOME/etc/apps/appname/appserver/static/
Parent elements
<row>
<html>
Example

HTML panel showing how to reference a local image:

<html>
  <h1>HTML Panel Example</h1>
  <p>The HTML panel displays inline HTML.</p>
  <p>
    The panel interpets the entire contents between the HTML tags literally, displaying
    HTML formatted text in the panel. The HTML panel does not accept any options.
  </p>
  <p>
    Any relative link references, such as images,
    are relative to the current view location. 
  </p>
  <p>
    For the following image in the Search app: <img src="/static/app/search/appIcon.png"/>
  </p>
  <p>Path to image: 
    <pre>$SPLUNK_HOME/apps/appserver/static/app/search/appIcon.png</pre>
    HTML source:
     <pre><img src="/static/app/search/appIcon.png" /> </pre>
  </p>
</html>
Viz SimpleXML ref html1.png

list

<list>

A panel displaying data in a list. Use this panel to display information from saved searches or search results.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id String Unique id for this panel
rejects comma-separated
list of tokens
Tokens in this list must be defined to prevent this visualization from being rendered for in-page drilldown.
Parent elements
<row>
<list>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
Property Type Default Description
labelField Field name (Required) The field name to use to generate labels for a list.
valueField Field name (Required) The name of the result field whose value should be displayed in the label part of the link list. Link lists are generally a combination of a descriptive label and a numeric count or other (value) field.
InitialSort Field name The initial field on which to sort.
initialSortDir (asc | desc)
asc
The direction to sort the results based on the initialSort field.
labelFieldSearch Search string The search string to generate when the user clicks on the label field. Requires labelFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
labelFieldTarget View name The view to target if the label field is set up to generate a clickable link that dispatches a search.
refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval. To disable panel refresh, specify 0 (or a negative integer).
refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
true
Display the refresh link in the panel.
Example

Example list panel listing the sourcetype for errors, followed by host name for the error:

<list>
  <searchName>Errors in the last 24 hours</searchName>
  <option name="labelField">sourcetype</option>
  <option name="valueField">host</option>
</list>

map

<map>

Provides for mapping geographic coordinates as interactive markers on a world map. This visualization depends on results from the geostats search command.

Refer to geostats in the Splunk Search Reference for details on implementing a geostats search.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens required to be present for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id String Unique id for this panel
rejects comma-separated
list of tokens
revent this visualization from being rendered for in-page drilldown.
Parent element
<row>
<map>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
property Type Default Description
drilldown (all | none)
all
all: Drilldown is enabled.

none: Drilldown is disabled.

link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
mapping.data.maxClusters Integer
100
The maximum number of clusters to render.

Caution: Setting this option to a large number of clusters can significantly degrade performance. Splunk recommends values below 1000.

mapping.fieldColors field:hexvalue,
. . .
A comma-separated map of field names to hexadecimal color values (0xRRGGBB) to define colors for specific series.
mapping.seriesColors hexvalue, . . .
Default*
A list of hexadecimal color values (0xRRGGBB) from which to sample colors for series with no specific colors assigned using the fieldColors property.
mapping.map.center (lat,long) The initial center point of the map. Latitude values can range from -85 to 85, with values outside of this range being clipped. Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it.
mapping.map.zoom Number The initial zoom level of the map.
mapping.map.fitBounds (south-lat,
west-long,
north-lat,
east-long)
The initial bounds to fit within the map view area. Latitude values can range from -85 to 85, with values outside of this range being clipped.

Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it.

Values assigned to this property effectively override any values assigned to the center or zoom properties.

Example to specify San Francisco Bay Area:

<option name="mapping.map.fitBounds">(37.5,-123,38,-122)</option>

mapping.tileLayer.url URL template
See description
The URL to use for requesting tiles, based on the following template:

http://(s).tile.openstreetmap.org/(z)/(x)/(y).png

mapping.tileLayer.subdomains [string,. . .]
[a,b,c]
A list of subdomains to distribute tile requests over. More subdomains allows more tiles to be requested simultaneously.

See example below.

mapping.tileLayer.minZoom Integer
0
The minimum zoom level of the tileset.
mapping.tileLayer.maxZoom Integer
7
The maximum zoom level of the tileset.

Use any non-negative integer to specify the maximum zoom level.

mapping.tileLayer.invertY Boolean
False
Whether to invert the y coordinate for tile requests. TMS servers use inverse y-axis numbering.
mapping.tileLayer.attribution String
See description
A copyright attribution to be displayed in the bottom right corner of the map. The default value:

Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA.

See example below.

mapping.markerLayer.markerOpacity Number
0.8
The opacity of the markers. Values can range from 0 (transparent) to 1 (opaque).
mapping.markerLayer.markerMinSize Number
10
The minimum size of the markers, in pixels.
mapping.markerLayer.markerMaxSize Number
50
The maximum size of the markers, in pixels.
refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval. To disable panel refresh, specify 0 (or a negative integer).
refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
true
Display the refresh link in the panel.

* Default value for mapping.seriesColors: [0x6CB8CA,0xFAC61D,0xD85E3D,0x956E96,0xF7912C,0x9AC23C,0x5479AF,0x999755,0xDD87B0,0x65AA82, 0xA7D4DF,0xFCDD77,0xE89E8B,0xBFA8C0,0xFABD80,0xC2DA8A,0x98AFCF,0xC2C199,0xEBB7D0,0xA3CCB4, 0x416E79,0x967711,0x823825,0x59425A,0x94571A,0x5C7424,0x324969,0x5C5B33,0x85516A,0x3D664E]

mapping.data.maxClusters example

The following example sets the maximum number of clusters to 250:

<map>
   <option name="mapping.data.maxClusters">250</option>
</map>
mapping.fieldColors and mapping.seriesColors example

The following example configures the "foo" and "bar" fields to be red (0xFF0000) and green (0x00FF00), respectively, and configures all other fields to be blue (0x0000FF):

<map>
   <option name="mapping.fieldColors">{foo:0xFF0000,bar:0x00FF00}</option>
   <option name="mapping.seriesColors">[0x0000FF]</option>
</map>
mapping.map.fitBounds example

The following example initializes the map view to a boundary around San Francisco:

<map>
  <option name="mapping.map.fitBounds">
    (37.5,-123,38,-122)
  </option>
</map>
mapping.tileLayer.* example

The following example configures the client to request tiles from openstreetmap.org (this is the default configuration):

<map>
   <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
   <option name="mapping.tileLayer.subdomains">[a,b,c]</option>
   <option name="mapping.tileLayer.maxZoom">18</option>
   <option name="mapping.tileLayer.attribution">
     Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA.
   </option>
</map>
map example, using foursquare data

This example assumes you are indexing foursquare data as source foursquare. It produces the map depicted below.

<map>
  <title>Roma</title>
  <searchString>
    sourcetype=foursquare 
    | geostats latfield=checkin.geolat longfield=checkin.geolong count by checkin.user.gender
  </searchString>
  <option name="mapping.data.maxClusters">500</option>
  <option name="mapping.markerLayer.markerMaxSize">20</option>
  <option name="mapping.map.fitBounds">(41.3,12.7,41.5,12.8)</option>
  <option name="mapping.seriesColors">[0x0060DD]</option>
  <option name="mapping.map.zoom">4</option>
</map>
Viz ItalyMap3.png

single

<single>

A panel displaying the results of a search that return a single value. You can change the color of the panel by specifying a rangemap for the returned values.

Caution: If you specify a search that returns multiple values, the single value panel displays the value from either the first row or first column of returned search data.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id String Unique id for this panel
rejects comma-separated
list of tokens
Tokens, if present, that prevent this visualization from being rendered for in-page drilldown.
Parent elements
<row>
<single>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <option name="[property]"> (0..n)
Options
Property Type Default Description
additionalClass CSS class name An additional css class name to add to the result container.
afterLabel String Label to display after the result.
beforeLabel String Label to display before the result.
classField (classname | severe | high | elevated | guarded | low | None) Adds the value of the classField of the first result as an additional CSS class to the result container.

Specify a CSS class name or use one of the pre-defined classes: severe, high, elevated, guarded, low, None

drilldown (all | none)
none
all: Drilldown enabled.
none: Drilldown disabled.
field Field name
First field returned
The field to display
link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openPivot.visible Boolean
(See description)
Show the Open in Pivot button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
false
Show link buttons at the bottom of the panel.
linkFields (result | beforelabel | afterlabel | underlabel)

Comma-separated list
result
Set which part of the text in the single value to use as a link for drilldown. To link the result and both labels, set as:
result, beforelabel, afterlabel

Note: Both properties linkFields and linkSearch are required to enable drilldown. The property linkView is optional – use linkView to specify a target view other than Search for drilldown.

linkSearch Search string A valid complete search query to turn the result into a clickable link.

Note: Both properties linkFields and linkSearch are required to enable drilldown. The property linkView is optional – use linkView to specify a target view other than Search for drilldown.

linkView View name
(See description)
Specify which view to execute the linked search against for drilldown.

You can specify any view in which the app is located or any view which has global permission.

There is no default value for linkView. If you do not provide a value, then drilldown behavior is disabled.

refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval. To disable panel refresh, specify 0 (or a negative integer).
refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
false
Display the refresh link in the panel.
underLabel String Label to display beneath the result.
Example

Example single value panel displaying before and after labels, and specifying a color range. The range map in the search specifies the values for each range. This panel uses the Splunk default colors for a range map.

<single>
  <searchString>
      index=_internal source="*splunkd.log" ( log_level=ERROR 
      OR log_level=WARN* OR log_level=FATAL 
      OR log_level=CRITICAL) | stats count as log_events 
      | rangemap field=log_events low=1-100 elevated=101-300 default=severe
  </searchString>
  <title>Log events</title>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="classField">range</option>
  <option name="afterLabel">total logging events</option>
  <option name="beforeLabel">Found</option>
</single>

Viz SimpleXML ref single.png

table

<table>

A panel displaying search data as a table.

Attributes
Name Type Default Description
depends comma-separated
list of tokens
Tokens in this list must be defined for this visualization to be rendered for in-page drilldown. You can specify one or more tokens.
id String Unique id for this panel
rejects comma-separated
list of tokens
Tokens, if present, that prevent this visualization from being rendered for in-page drilldown.
Parent element
<row>
<table>
  <title> (0..1)
  <searchName> | <searchString> | <searchTemplate> | <searchPostProcess> (0..1)
  <earliestTime> (0..1)
  <latestTime> (0..1)
  <fields> (0..1)
  <drilldown> (0..n)
  <format type="sparkline" field="[field name]"> (0..n)
  <option name="[property]"> (0..n)
Options
property Type Default Description
count Integer
10
The maximum number of rows to display.
dataOverlayMode (heatmap | highlow)
None
Indicates which type of overlay to display.
displayRowNumbers Boolean
True
(Deprecated) Use the rowNumbers attribute.
drilldown (all | cell | row | none | off)
cell
Enables drilldown on row or cell level, or disables drilldown.

all, cell: Enables drilldown. These two values are equivalent. Enables drilldown on the cell level.

row: Enables drilldown for a row.

none: Disables drilldown but preserves hypertext styling.

off: Disables drilldown and removes hypertext styling

link.exportResults.visible Boolean
(See description)
Show the Export button at the bottom of the panel.

Default value: The value of link.visible.

link.inspectSearch.visible Boolean
(See description)
Show the Inspect button at the bottom of the panel.

Default value: The value of link.visible.

link.openPivot.visible Boolean
(See description)
Show the open in Pivot button at the bottom of the panel.

Default value: The value of link.visible.

link.openSearch.search search string
The alternative search to use for the Open in Search button.
link.openSearch.searchEarliestTime (time modifier)
(See description)
The earliest time to use for the alternative search specified by link.openSearch.search.

Default value: The earliest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.searchLatestTime (time modifier)
(See description)
The latest time to use for the alternative search specified by link.openSearch.search.

Default value: The latest time used by the panel.

Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers.

link.openSearch.text text
Open in Search
The label to use for the Open in Search button.
link.openSearch.ViewTarget View name
Search
The target view for the Open in Search button.
link.openSearch.visible Boolean
(See description)
Show the Open in Search button at the bottom of the panel.

Default value: The value of link.visible

link.visible Boolean
true
Show link buttons at the bottom of the panel.
previewResults Boolean
True
Enable preview of results before the search is complete.
refresh.auto.interval Number
0
Specifies, in seconds, the refresh interval. To disable panel refresh, specify 0 (or a negative integer).
refresh.time.visible Boolean
true
Display the refresh time indicator in the panel.
refresh.link.visible Boolean
true
Display the refresh link in the panel.
rowNumbers Boolean
False
Toggle display of row numbers.
showPager Boolean
True
Toggle pagination on or off.
wrap Boolean
True
Enable wrapping of text in the results table.
Example

Example of a table panel using an inline search, displaying five rows, and disabling row numbers:

<table>
  <title>Top sourcetypes in the last 24 hours</title>
  <searchString>
    index=_internal group=per_sourcetype_thruput
    | chart sum(kb) by series | sort -sum(kb)
  </searchString>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="count">5</option>
  <option name="rowNumbers">false</option>
</table>
Viz SimpleXML ref table.png

title

<title>

Specifies the title of a visualization element

Parent elements
<chart> | <event> | <html> | <list> | <map> | <single> | <table>
<chart> |  <event> | <html> | <list> | <map> | <single> | <table>
  <title> (0..1)
Attributes

No attributes for <title>

Example

Specify a title for the <table> visualization:

<table>
  <title>Top sourcetypes in the last 24 hours</title>
  <searchString>
    index=_internal group=per_sourcetype_thruput
    | chart su(kb) by series | sort -sum(kb)
  </searchString>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="count">5</option>
  <option name="rowNumbers">false</option>
</table>

Sparkline options

<format type="sparkline" field="[field name]">
Attributes
Name Type Default Description
field Field name Required. Specifies the field to which the sparkline is applied.
type String
sparkline
Required. sparkline is the only type supported. Specifies that a sparkline is being formated.

A set of formatting options that determines how sparklines display in tables. Sparkline options are only applicable to the <table> element. Specify a sparkline option using the <format> element within a <table> element.

Do not confuse the sparkline options here, which format a sparkline, with the sparkline function to the chart or stats search command. The formatting options listed here require a search that uses the sparkline() function. See Add sparklines to search results for information on implementing sparklines.

Caution: The sparkline options listed in this reference do not render when generating a PDF of a dashboard. Only the sparkline itself renders.

Parent elements
<table>
<table>
   <format type="sparkline" field=["field name]"> (0..n)
     <option name="[property name]"> (0..n)
Common options
Property Type Default Description
chartRangeMax Number n/a Specify an alternate maximum sparkline range value.
chartRangeMin Number n/a Specify an alternate minimum sparkline range value.
height CSS style
auto
Height of the chart. Specify any valid CSS width (for example, 1.5em, 20px).
tooltipPrefix text Text to place before each field displayed in a tooltip.
tooltipSuffix text Text to append to each field displayed in a tooltip.
type (bar | discrete | line)
line
Specifies the type of sparkline
Options for bar charts
Property Type Default Description
barSpacing Number Space between each bar, in pixels.
barWidth Number Width of each bar, in pixels.
colorMap See description Range map to map specific values to selected colors.

For example if you want all values of -2 to appear yellow, use colorMap: { '-2': '#ff0' }.

You can pass an array of values here instead of a mapping to specifiy a color for each individual bar. For example if your chart has three values 1,3,1 you can set colorMap=["red", "green", "blue"].

Options for discrete charts
Property Type Default Description
lineColor CSS style Used by line and discrete charts to specify the color of the line drawn as a CSS values string
lineHeight Number
30% of graph height
Height of each line, in pixels.
thresholdColor CSS color CSS color to use in combination with thresholdValue.
thresholdValue CSS color Draw values less than this using thresholdColor instead of lineColor
Options for line charts
Property Type Default Description
fillColor CSS color | false Specify the color to fill the area under the graph as a CSS value. Set to false to disable fill.
highlightLineColor CSS color
#f22
CSS color for the vertical line that appears through a value when moused over.

Set to null to disable.

highlightSpotColor CSS color
#f5f
Color for the spot that appears on a value when moused over.

Set to null to disable.

lineColor CSS style Used by line and discrete charts to specify the color of the line drawn as a CSS values string
lineWidth Number
1
line width, In pixels.
maxSpotColor CSS color CSS color of the marker displayed for the maximum value.

Set to false or an empty string to hide it.

minSpotColor CSS color CSS color of the marker displayed for the minimum value.

Set to false or an empty string to hide it.

normalRangeMax range (see description) With normalRangeMin, threshold values between which to draw a bar to denote the "normal" or expected range of values.

For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range.

normalRangeMin
range (see description)
With normalRangeMax, threshold values between which to draw a bar to denote the "normal" or expected range of values.

For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range.

spotColor CSS color CSS color of the final value marker.

Set to false or an empty string to hide it.

spotRadius Number
1.5
Radius, in pixels, of all spot markers.
valueSpots range (see description) Points on which to draw spots, and with which color. Accepts a range.

For example, to render green spots on all values less than 50 and red on values higher use {':49': 'green, '50:': 'red'}

width CSS style
auto
Width of the chart. Specify any valid CSS width (for example, 1.5em, 20px). This option does apply to bar and tristate type sparklines.
Example

Sparkline of type bar with a color map

<table>
  <title>Basic Sparkline Bar w/ Color Map</title>
  <!-- Set span for each sparkline datapoint to be 1 hour -->
  <searchString>
    index=_internal | chart count sparkline(count, 1h) as trend by sourcetype | sort -count
  </searchString>
  <earliestTime>-24h@h</earliestTime>
  <latestTime>now</latestTime>
  
  <!-- Set sparkline options here; make sure that field matches field name of the search results -->      
  <format type="sparkline" field="trend">
    <option name="type">bar</option>
    <option name="height">40px</option>
    <!-- Use colorMap to map specific values to selected colors -->      
    <option name="colorMap">
      <option name="2000:">#5379AF</option>
      <option name=":1999">#9ac23c</option>
    </option>
    <option name="barWidth">5px</option>
  </format>
</table>
Sparkline example.png

fields

<fields>

Comma-separated list of fields. Use the <fields> element to restrict searches to these fields.
The order of the fields in the comma-separated list determines the order of the columns in the table or event listing.

Parent elements
<event> <table>
<event> | <table>
  <fields> (0..1)
Example

Restrict the results of the search to the following fields: host, ip, username

. . .
<table>
  <title>Top users, five hours ago</title>
  <searchString>host=production | top users</searchString>
  <fields>host,ip,username</fields>
  <earliestTime>-10h</earliestTime>
  <latestTime>-5h</latestTime>
</table>
. . .

options

<option>

The <option> tag applies a specific property to an element, such as a panel element. Use the name attribute to specify the property.

Typically, named options apply to a specific panel. However some options can be applied to more than one panel.

Attribute
Name Type Default Description
name Property name (Required)

Specifies the name of the specific property.

The allowed values for <option> depends on the named property. Refer to the reference entry for each panel to see a list of named options and the allowed values.

Parent elements
<chart> <event> <list> <single> <table>
<chart> |  <event> | <html> | <list> | <single> | <table>
  . . . 
  <option name="[property]">[option value]</option> (0..n)
Example
<table>
  <title>Top sourcetypes in the last 24 hours</title>
  <searchString>
    index=_internal group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb)
  </searchString>
  <earliestTime>-1d</earliestTime>
  <latestTime>now</latestTime>
  <option name="count">5</option>
  <option name="rowNumbers">false</option>
</table>

Search elements for dashboards, forms, and panels

The following elements are available for use with <dashboard>, <form>, and panel elements. The description of each search element explains their usage.

The <searchPostProcess> element is a child of a panel element and requires that the parent <dashboard> or <form> element contain a base search.

earliestTime

<earliestTime>

Specifies the earliest time to include in a search.

You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify relative time ranges in your search in the Search Manual. For absolute time, specify the time in UNIX epoch time format.

  • Note: UNIX epoch time format for absolute time in Simple XML is different from the SPL absolute time format.

If specified as a child of a panel visualization element, modifies the time for that visualization. If specified for a dashboard or a form, modifies the search for the dashboard or form.

Parent elements
<form> | <dashboard>
<chart> <event><list> <single> <table>
<earliestTime>[time expression]</earliestTime>
Examples

Modify time range for one visualization in a form.

<form>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>
  . . .
  <row>
    <panel>
      <table>
        <title>Last Seven Days</title>
        <earliestTime>-7d</earliestTime>
        <latestTime>now</latestTime>
      </table>
    </panel>
  </row>
</form>

Modify the time range for a chart in a dashboard.

<dashboard>
  <row>
    <panel>
      <chart>
        <title>Error log count</title>
        <option name="charting.chart">radialGauge</option>
        <searchString>
           index=_internal source="*splunkd.log" 
           ( log_level=ERROR OR log_level=WARN* 
           OR log_level=FATAL OR log_level=CRITICAL )
           | stats count as log_events 
           | rangemap field=log_events low=1-100 elevated=101-300 default=severe
        </searchString>
        <earliestTime>-24h@h</earliestTime>
        <latestTime>now</latestTime>
      </chart>
    <panel>
  </row>
</dashboard>

latestTime

<latestTime>

Specifies the latest time to include in a search.

You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify relative time ranges in your search in the Search Manual. For absolute time, specify the time in UNIX epoch time format.

  • Note: UNIX epoch time format for absolute time in Simple XML is different from the SPL absolute time format.

If specified as a child of a panel element, modifies the time for that panel. If specified for a dashboard or a form, modifies the search for the dashboard or form.

Parent elements
<form> | <dashboard>
<chart> <event><list> <single> <table>
<latestTime>[time expression]</latestTime>
Example
<form>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>
  . . .
  <row>
    <panel>
      <table>
        <title></title>
        <earliestTime>-7d</earliestTime>
        <latestTime>now</latestTime>
      </table>
    </panel>
  </row>
</form>

searchName

<searchName>

The name of a report containing the search used by a panel.

Parent elements
<chart> <event> <list><map> <single> <table>
<searchName>[report name]</searchName>
Example (panel)
<chart>
  <searchName>Splunk errors last 24 hours</searchName>
</chart>

searchString

<searchString>

The inline search a visualization element uses to display results.

Parent elements
<chart> <event> <list> <map> <single> <table>
<chart> |  <event> | <html> | <list> | <map> | <single> | <table>
  <searchString>[search]</searchString> (1)
  <earliestTime>[time expression]</earliestTime> (0..1)
  <latestTime>[time expression]</latestTime> (0..1)
Attributes

No attributes for <searchString>.

Example (panel)
<table>
  <searchString>
      index="_internal" source="*metrics.log" group="pipeline" 
      | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) 
      |rename sum(cpu_seconds) as "Total CPU Seconds"
  </searchString>
  <title>High CPU processors</title>
  . . .
</table>
Example (form)
<form>
  <fieldset>
   <input type="text" token="sourcetype" />
  </fieldset>
  <searchString>
    index=_internal source=*metrics.log group=per_sourcetype_thruput
      series="$sourcetype$" | head 1000
  </searchString>  
  <row>
    <panel>
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
</form>

searchPostProcess

<searchPostProcess>

Inline search string to process events or results from a base search within a panel. Typically, the base search is a transforming search

Caution: A post process search has an unconfigurable limit of 10,000 raw events that can be passed to it. Events in excess of this 10,000 event limit are not processed and silently ignored, resulting in incomplete data reported for the post process search.

Caution: Passing a large number of search results from a base search can cause a server time out. In this scenario, consider the following:

  • The number of results and fields returned from the base search.
  • The complexity of the post process operations on these results.

For more information on post process searches, see Use one search for a whole dashboard. This topic is in the advanced XML manual, but the principles apply to simple XML post process searches.

Parent elements
<chart> <event> <list> <single> <table>
<searchPostProcess>[search string]</searchPostProcess>
Example
<form>
  <fieldset>
      <input type="dropdown" token="reportTypeToken">
            <label>Select name</label>
            <default>Sourcetype</default>
            <choice value="index">Index</choice>
            <choice value="sourcetype">Sourcetype</choice>
            <choice value="source">Source</choice>
            <choice value="host">Host</choice>
        </input>
      <input type="time">
        <default>Last 4 hours</default>
      </input>
  </fieldset>
  
  <!-- Search that returns all of the data that requested by subsequent panels -->
  <searchTemplate>
    index=_internal source=*metrics.log group="per_$reportTypeToken$_thruput"
    | bin _time span=1m | stats count by series, eps, kb, kbps, _time
  </searchTemplate>
  
  <row>
    <panel>
      <table>
          <title>eps over time</title>
          <searchPostProcess>timechart avg(eps) by series</searchPostProcess>
      </table>
    </panel>
    <panel>
      <chart>
          <title>KB indexed over time</title>
          <searchPostProcess>timechart sum(kb) by series</searchPostProcess>
          <option name="height">300px</option>
          <option name="charting.chart">area</option>
          <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
  </row>  
</form>

searchTemplate

<searchTemplate>

A base search for a form that uses $token$ to delimit tokens that replace user inputs from the form.

<searchTemplate> can also be used with a <dashboard> or a panel.

Parent elements
<form>
<dashboard>
<chart> | <event> | <html> | <list> | <single> | <table>
Example
<form> 
  <label>Basic form search</label>  
  <fieldset> 
    <html> 
      <p> 
       Enter a sourcetype in the field below. 
      </p> 
    </html>    
     <!-- the default input type is a text box --> 
     <input token="sourcetype" /> 
  </fieldset> 
  <!-- search with replacement token delimited with $ --> 
  <searchTemplate> 
   index=_internal source=*metrics.log 
     group=per_sourcetype_thruput series="$sourcetype$" 
     | head 1000 
  </searchTemplate> 
  <row>
    <panel>
      <!-- output the results as a 50 row events table --> 
      <table> 
        <title>Matching events</title> 
        <option name="count">50</option> 
      </table>
    </panel> 
  </row> 
</form>

Drilldown elements

drilldown

<drilldown>

Define custom destinations to link to when a user clicks on fields in a dashboard or form.

Specify a path to the destination using the <link> tag.
Set or unset tokens using the <set> or <unset> tags.
Specify a condition to specify fields for setting or unsetting tokens.

Note: You can specify one or more actions (<link>, <set>, <unset>) or conditions (<condition>) directly within <drilldown>, but you cannot specify both actions and conditions.

For details see Dynamic drilldown in dashboards and forms.

Attributes
Name Type Default Description
target text
Corresponds to the target attribute of the <a> HTTP tag.

Specify "_blank" to open the drilldown in a new window.

Specify "_self" to open the drilldown in the same window.

Specify an arbitrary string to open the drilldown in a new window. Subsequent references to this target open in this window.

Parent elements
<chart> <event> <list> <map> <single> <table>
<drilldown>
  ( <link> | <set>  | <unset> ) (1..n) | <condition> (1..n)  
Example 1: Pass a value to a form
<table>
<searchString>index=_internal</searchString>

<!-- Pass the clicked row's 'count'-column value    -->
<!-- to populate a destination form's 'foo' token. -->
<drilldown>
  <link>
  /app/search/simple_xml_form?form.foo=$row.count$
  </link>
</drilldown>
</table>
Example 2: Pass parameters to a form
<table>
<searchString>index=_internal</searchString>

<!-- Pass the clicked cell's value, earliest time, -->
<!-- and latest time to a destination form's       -->
<!-- token ('foo') and search parameters           -->
<drilldown>
  <link>
  <![CDATA[
/app/search/simple_xml_form?form.foo=$click.value2$&earliest=$earliest$&latest=$latest$
  ]]>
  </link>
</drilldown>
</table>
Example 3: Pass a value from a chart to a website
<chart>
  <searchString>
    index=_internal | chart count by sourcetype
  </searchString>
  <option name="charting.chart">column</option>

  <!-- $click.value$ captures the value clicked by the user -->
  <!-- From the X-axis of a column chart and passes         -->
  <!-- it to the website as a query parameter               -->
  <drilldown>          
    <link>
      http://splunk-base.splunk.com/integrated_search/?q=$click.value$
    </link>
  </drilldown>
</chart>

condition

<condition>

Limits the scope of drilldown actions to clicks on specific fields.

If the <condition> element is not present, then drilldown actions apply to all fields.

Parent element
<drilldown>
<condition>
  (<link> | <set> | <unset>) (1..n)
Attributes
Name Type Default Description
field text
*
Specifies the search field on which to implement the drilldown, or to set or unset a token.
Example

See the example for <set> for using the <condition> tag to set a token for in-page drilldown.

See the example for <unset> for using multiple <condition> tags.

link

<link>

Specifies a destination to link to.

<link> can be a child tag of <drilldown> or <condition>.

Use <link> as a child tag of <condition> when you want to configure distinct drilldown actions for specific fields. Otherwise, use <link> as a child tag of <drilldown>.

There are various ways to specify a destination for the drilldown using relative paths or a URL, as described below

Parent elements
<drilldown><condition>
<drilldown>
  <link>

<drilldown>
  <condition>
    <link>
Attributes
Name Type Default Description
field Field name Specifies which values to capture in a table from the specified column or row. Cannot be specified together with the series attribute.

Although the field attribute is supported, Splunk recommends that you specify fields with the <condition> tag.

series Series name Specifies which values to capture in a chart from the specified series. Cannot be specified together with the field attribute.

Although the series attribute is supported, Splunk recommends that you specify series with the <condition> tag.

target text
Corresponds to the target attribute of the <a> HTTP tag. Specifying target for the <link> element overrides the value of target specified in the <drilldown> element.

Specify "_blank" to open the drilldown in a new window.

Specify "_self" to open the drilldown in the same window.

Specify an arbitrary string to open the drilldown in a new window. Subsequent references to this target open in this window.

Parent element

<drilldown><condition>

1) <link> [viewname] </link>
2) <link> [path/viewname] </link>
3) <link> [path/viewname?form.token=$dest_value$] </link>
4) <link> [path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$] </link>
5) <link> [URL?q=$dest_value$] </link>

  1. Use the specified view, which must be in the same path as the current dashboard.
  2. Relative path to connect to a dashboard.
  3. Relative path to connect to a form, passing in a token to populate the form.
  4. Pass in the earliest and latest time range from the original search.
    (Requires use of CDATA to escape special characters.)
  5. URL and query argument to pass a value to the destination page.

Path values Description
path A path to the destination view from the current view. Typically, you specify path as: /app/app_name/

However, you can also specify a relative path, based on the app context of the source and destination views.

viewname The name of the Splunk view you are using for a destination.
$dest_value$ Specifies how to capture a value from a visualization. See Drilldown event tokens for details on each visualizaion.
URL Specify a URL to a web page. Use the full address, including the protocol. For example: http://.
q When specifying a URL, use q to specify the value of dest_value in a query string to a web resource.

selection

<selection>
Sets the time window for the pan and zoom feature of charts. You can also use tokens to set other values, such as the numerical values of the X-axis in a chart.

Only applies to charts of type area, column, or line.

See Chart controls for details on the pan and zoom feature of charts.

Parent elements
<chart>
  <option name="charting.chart">area</option>
  | <option name="charting.chart">column</option>
  | <option name="charting.chart">line</option>
Use pre-defined tokens to capture the earliest and latest time of the time window and the earliest and latest values within that time window for a field.

For example:

    <selection>
      <set token="selection.earliest">$start$</set>
      <set token="selection.latest">$end$</set>
      <set token="start.[fieldname]">$start.[fieldname]$</set>
      <set token="end.[fieldname]">$end.[fieldname]$</set>
    </selection>

Can also be used to set a drilldown link.

    <selection>
      <link>
Attributes

No attributes for this element.

Example

A selection on the left chart zooms into the right chart with details for the selected area.

<dashboard>
  <label>Pan and Zoom</label>
  <row>
    <panel>
      <chart>
        <title>Pan and Zoom (All source types)</title>
        <searchString>
            index=_internal  |  timechart count by sourcetype
        </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">line</option>
        <selection>
          <set token="selection.earliest">$start$</set>
          <set token="selection.latest">$end$</set>
          <set token="start.splunk_web_access">$start.splunk_web_access$</set>
          <set token="end.splunk_web_access">$end.splunk_web_access$</set>
        </selection>
        <option name="charting.axisTitleX.text">Last 7 Days</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Pan and Zoom (Web access source type)</title>
        <searchString>
            index=_internal sourcetype=splunk_web_access
            |  timechart count by sourcetype
        </searchString>
        <earliestTime>$selection.earliest$</earliestTime>
        <latestTime>$selection.latest$</latestTime>
        <option name="charting.chart">column</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.legend.masterLegend">null</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisTitleX.text">Selected Time Range</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <h3>Token values for the splunk_web_access selection</h3>
        <table border="0" cellpadding="12" cellspacing="0">
          <tr>
            <td>
              <p><b>Time range (epoch time)</b></p>
              <p>
                <b>$$selection.earliest$$</b>: $selection.earliest$<br/>
                <b>$$selection.latest$$</b>: $selection.latest$
              </p>
            </td>
            <td>
              <p><b>Count at the begining and end of time range.</b></p>
              <p>
                <b>$$start.splunk_web_access$$</b>: $start.splunk_web_access$<br/>
                <b>$$end.splunk_web_access$$</b>: $end.splunk_web_access$</p>
            </td>
          </tr>
        </table>
      </html>
    </panel>
  </row>
</dashboard>

Viz PanZoomSelection.png

set

<set>

Allows you to publish new global tokens which can be consumed by any other element or search within the dashboard.

You can specify the value to capture when clicked, which can be from another token. You can also specify arbitrary text, which allows the token to be recognized for panels using the depends or rejects attributes.

<set> can be a child tag of <drilldown> or <condition>.

Use <set> as a child tag of <condition> when you want to configure distinct drilldown actions for specific fields. Otherwise, use <set> as a child tag of <drilldown>.

Parent elements
<drilldown><condition>
There are two ways to set a value of a token.

1. Use a template to combine input tokens and static portions to form the new token value. Templates allow you to reference multiple tokens when setting the value, and also specify quotes for the value using the |s token filter.

<set token="Token Name">sourcetype=$click.value|s$</set>

2. Use the prefix and suffix attributes to specify static portions for the input token. The following is equivalent to the template example above.

<set token="Token Name" prefix="sourcetype=&quot;" suffix="&quot;">$click.value$</set>

Attributes
Name Type Default Description
token Token name Required The name of the token to be consumed by the target visualization on the same page.
prefix text String to place before the value of the token.
suffix text String to append to the value of the token.
Example

A click on the table sets a token which is consumed by the search of the chart visualization.

<dashboard>
  <label>In-page Drilldown</label>
  <row>
    <panel>
      <table>
        <title>Set sourcetype token on click</title>
        <searchString>index=_internal | stats count by sourcetype</searchString>
        <earliestTime>-1h</earliestTime>
        <latestTime>now</latestTime>
        <drilldown>
          <condition field="sourcetype">
            <set token="sourcetype">$click.value2$</set>
          </condition>
        </drilldown>
      </table>
      <chart>
        <title>Chart for $sourcetype$</title>
        <searchString>
          index=_internal sourcetype=$sourcetype$ | timechart count by sourcetype
        </searchString>
        <earliestTime>-1h</earliestTime>
        <latestTime>now</latestTime>
      </chart>
    </panel>
  </row>
</dashboard>

unset

<unset>

Use <unset> to remove a token that was previously set. Use <set> and <unset> when displaying drilldown results on the same dashboard.

Parent element
<drilldown><condition>

<unset token="Token Name">

Attributes
Name Type Default Description
token Token name Required The name of a token that was previously set, but to be ignored.
Example

Use <set> and <unset> to define the visualization to use.

Use token definitions to hide a panel.

<dashboard>
  <label>Example for <set> and <unset></label>
  <row grouping="1,3">
    <table>
      <title>Set sourcetype token</title>
      <searchString>
        index=_internal | stats count by sourcetype
      </searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <drilldown>
        
        <!-- For the sourcetype field clicked: -->
        <!-- Set token to display a chart -->
        <!-- Unset token to display a table -->
        <condition field="sourcetype">
          <set token="sourcetype">$row.sourcetype$</set>
          <set token="showChart">foo</set>
          <unset token="showTable"/>
        </condition>
        
        <!-- For any other field clicked: -->
        <!-- Set token to display a table -->
        <!-- Unset token to display a chart -->        
        <condition field="*">
          <set token="sourcetype">$row.sourcetype$</set>
          <set token="showTable">foo</set>
          <unset token="showChart"/>
        </condition>
        
      </drilldown>
    </table>
    
    <!-- Hide the html panel when either token is present -->
    <!-- Click in the original table to set either token -->
    <html rejects="$showTable$, $showChart$">
      <h2>Details</h2>
      <div style="padding: 50px; margin: 0 auto; width: 350px;">
        <div class="alert alert-warning">
          <i class="icon-alert"/>
          Click on a row in the table on the left to show details.
        </div>
      </div>
    </html>
    
    <!-- if showChart token is set, display results here -->
    <chart depends="$showChart$">
      <title>Details for $submitted:sourcetype|s$</title>
      <searchString>
        index=_internal sourcetype=$sourcetype|s$
        | timechart count by sourcetype
      </searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
    </chart>
    
    <!-- if showCTable token is set, display results here -->    
    <table depends="$showTable$">
      <title>Details for $submitted:sourcetype|s$</title>
      <searchString>
        index=_internal sourcetype=$sourcetype|s$
        | timechart bins=10 count by sourcetype
      </searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</dashboard>

Drilldown event tokens

For dynamic drilldown, these are the event tokens, and their values, that are available for each type of visualization.


chart (event tokens)

The clicked field name is the name of the field or series for the Y-Axis if present (similar to click.name2). If the name of the field or series is not available the field or category for the X-axis is used (click.name).

Data Property Description
click.name Name of the field or category for the X-axis. Not available when the legend has been clicked.
click.value Value of the field or category for the X-axis. Not available when the legend has been clicked.
click.name2 Name of the field or series for the Y-axis.
click.value2 Value of the field or series for the Y-axis. Not available when the legend has been clicked.
row.<fieldname> Any field values along the Y-axis at the same point as the click on the X-axis. Not available when the legend has been clicked.
row.<X-axis-name> Value of the X-axis. Not available when the legend has been clicked.
earliest/latest Time range of the clicked chart segment, or if not applicable, the time range of the search.

event (event tokens)

The value for click.name depends on the context of the click, as described below:

Data Property Description
click.name The field name associated with the click.

For cases in the event viewer where the field name is ambiguous:

  • Click a term in the raw event: Sets _raw as the field name.
  • Click the event timestamp: Sets _time as the field name.
  • Click a tag: Sets a field name according to the tag name, as follows:
      tag::<field>
      (for example, when host is tagged, tag::host)
click.value Value associated with the click.
click.name2 Identical to click.name.
click.value2 Identical to click.value.
row.<fieldname> Exposes each field value as row.<fieldname>.
earliest/latest Time range of the clicked event, which is:
earliest: _time
latest: (_time + 1 second)

map (event tokens)

The field for the <condition> tag in dynamic drilldown always corresponds to click.name.


Data Property Description
click.name Name of the first, or only field, that displays the marker.
click.value Value of the first, or only field, that displays the marker.
click.name2 Same as click.name.
click.value2 Same as click.value
click.lat.name Name of the latitude field that determines the location of the marker.
click.lat.value Latitude value of the geo location of the marker.
click.lon.name Name of the longitude field that determines the location of the marker.
click.lon.value Longitude value of the geo location of the marker.
click.bounds.<orientation> Outer boundaries of all clustered locations that the marker represents.

Orientation: south, west, north, east

row.<fieldname> Each field value of the clicked marker is exposed in this form.
earliest/latest Time range of the search driving the map visualization.

single (event tokens)

The field for the <condition> tag in dynamic drilldown always corresponds to click.name.

Data Property Description
click.name Name of the field that is displayed by the single value visualization.
click.value Value that is displayed by the single value visualization.
click.name2 Same as click.name.
click.value2 Same as click.value.
row.<fieldname> Exposes each field in the same result row from which the single value is taken.
earliest/latest Time range of the search driving the single value visualization.

table (event tokens)

The field for the <condition> tag in dynamic drilldown always corresponds to click.name2.

Data Property Description
click.name Name of the leftmost field that is displayed in the table. This is always _time, if present.
click.value Value of the left-most column in the clicked row.
click.name2 Name of the clicked column.
click.value2 Value of the clicked column.
row.<fieldname> All field values for the clicked table row, including those fields that are not displayed.
earliest/latest Time range of the clicked table row, or if not applicable, the time range of the search.
PREVIOUS
Chart customization
  NEXT
Chart Configuration Reference

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13


Comments

Sowings, you are correct. I have updated the docs: rowNumbers defaults to false.

Vgenovese
July 28, 2014

It seems that rowNumbers defaults to false for . I had to set it to true to get them to display.

Sowings splunk
July 23, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters