Splunk® Enterprise

Dashboards and Visualizations

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.
Acrobat logo Download topic as PDF

Drilldown behavior

Use drilldown to provide additional data insights to dashboard users. Drilldown lets users click on visualization elements like data points, columns, table rows, or a visualization legend to open a secondary search in a new browser window. The secondary search is similar to the search driving the visualization but it generates results customized to the element that users click.

You can enable or disable drilldown using the visualization Format menu. Table visualizations and events lists provide additional configuration options in this menu.

Use Simple XML to make additional customizations. For example, you can create a dynamic drilldown linking users from a dashboard to a form or to an external website. A contextual drilldown links users to content on the same page.


Dynamic drilldown

Specify the following types of custom drilldown targets.

  • A dashboard or form in an app in your Splunk installation
  • A third-party URL


Dynamic drilldown elements

Implement dynamic drilldown in Simple XML using the <drilldown> element with other simple XML elements. See Drilldown elements in the Simple XML Reference for details.

Element Description
<drilldown> Defines a drilldown. Parent element of the other dynamic drilldown elements.
<condition> Specifes fields that generate drilldown actions.
<link> Specifies a target destination for a detailed search.
<set> Publishes global tokens that can be consumed by any other element or search within a dashboard. Use <set> and <unset> when displaying drilldown results on the same dashboard.
<unset> Removes a token that was previously set. Use <set> and <unset> when displaying drilldown results on the same dashboard.

To learn about using <set> and <unset> for contextual drilldown, see Contextual drilldown elements.


Drilldown event tokens

Dynamic drilldown uses drilldown event tokens to customize the values that you capture from a visualization. The tokens available depend on the visualization. See Token usage in dashboards and Define tokens for drilldown in this manual.

For example, for a map visualization, the tokens specify the field and value from a map marker as well as latitude and longitude values. For a table visualization, the tokens specify the name and value returned from a clicked cell. The following table lists the drilldown event tokens available for a table visualization. See Drilldown event tokens in the Simple XML Reference for a complete list of tokens available for all visualizations.

Token Description
click.name Name of the leftmost field that is displayed in the table. This is always _time, if present.
click.value Value of the left-most column in the clicked row.
click.name2 Name of the clicked column.
click.value2 Value of the clicked column.
row.<fieldname> All field values for the clicked table row, including those fields that are not displayed.
earliest/latest Time range of the clicked table row, or if not applicable, the time range of the search.

Drilldown event tokens differ from the tokens you define with the <set> element. Drilldown event tokens are pre-defined for capturing values from a click in a visualization. Tokens that are defined with the <set> element specify values that the target destination consumes.

Specify a destination link

The <link> element provides various options for specifying the destination for dynamic drilldown. For details, see <link> element in the Simple XML Reference.

You can specify the following.

  • Specify a dashboard in the same or different app in a Splunk deployment.
  • Pass in a token value to populate a form in the destination target.
  • Pass in earliest and latest values to define the search terms in the destination form.
  • Open a third party URL, optionally passing in the value captured by the drilldown action as a query argument.
  • Specify target values for the <a> HTTP anchor tag, indicating how to open the target HTTP web page.

When used with the <condition> element, you can specify the name of the field or series from which to capture values for drilldown.

Dynamic drilldown example

This example shows how to pass a drilldown value from a dashboard to a form in a separate app. The dashboard contains a table. A click anywhere in a row of the table captures the value for the source type from the first column in the row. This value is passed as the input value to the form.

This is the dashboard containing the table.

Viz DynamicDrilldownToForm.png

This is the form, which is in a separate app. The value passed from the dashboard becomes the input to the form. The form shows the results when a user of the dashboard clicks anywhere in the row for splunk_web_service source type.

Viz DynamicDrilldownForm.png

Dashboard implementing dynamic drilldown

  • Uses the <drilldown> and <link> elements.
  • Specifies the target attribute in <link> to open the target in a new page.
  • References the src_type_tok token, which is defined in the target form.
  • Specifies row for the drilldown option.

Form

  • Defines the src_type_tok token
  • Populates the text input with the value passed in for the token and runs the form.

Source code for the table in the dashboard that implements dynamic drilldown: 

<dashboard>
  <label>Dynamic Drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" | chart count by sourcetype | sort sourcetype</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <link target="_blank">
            /app/MyApp/drilldown_dynamic_target_form?form.src_type_tok=$row.sourcetype$
          </link>
        </drilldown>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>

Source code for the form that accepts the passed in value: 

<form>
  <label>Dynamic Drilldown (Target Form)</label>
  <description/>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="src_type_tok" searchWhenChanged="true">
      <label>Source type</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Source type details</title>
        <search>
          <query>
            index=_internal | timechart span=1week count by $src_type_tok$
          </query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

Single value drilldown using hidden fields

From a single value visualization you can drill down on hidden fields. The following example is from an app that uses single value visualizations to display selected government regulations. The example app uses a global search that returns information about government agencies, regulations, and regulation IDs. It contains two single value visualizations that use post process searches to obtain the values to display.

There are two dropdowns:

  • Select an agency
    The selected agency name is displayed as a single value visualization.
  • Select a regulation
    Users can choose a regulation available from the agency they selected. The regulation name is shown as a single value visualization.

The second single value visualization consumes the fields regulation_docketTitle and docketId from its post process search. However, a single value field can only display the first returned value, which is the regulation_docketTitle in this example.

The visualization uses the <drilldown> element to drill down on the "hidden value field," docketId. It specifies the hidden field in the $row.<field>$ drilldown event token. See Single event tokens for a list of all drilldown event tokens.

$row.docketId$

The following source code shows how to access the hidden value field for single value visualizations. 

<form stylesheet="regulations_explorer.css">
  <label>Regulations Explorer</label>

  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="agency" searchWhenChanged="true">
      <label>Select an Agency</label>
      <search>
        <query><!-- populating search for input --></query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
        <fieldForValue>agencyName</fieldForValue>
        <fieldForLabel>agencyName</fieldForLabel>
      </search>
      <choice value="*">ALL</choice>
      <default>*</default>
    </input>

    <input type="dropdown" token="docket" searchWhenChanged="true">
      <label>Select a regulation</label>
      <search>
        <!-- populating search for input --> 
      </search>
      <fieldForValue>docketTitle</fieldForValue>
      <fieldForLabel>docketTitle</fieldForLabel>
    </input>
    
    <!-- time picker input -->
  </fieldset>


  <!-- Global search for post process                       -->
  <!-- Provides docketId and regulation_docketTitle fields  --> 
  <!-- That are consumed by the single value visualization  -->  
  <search id="baseSearch">
    <query>
    | pivot regulations Regulations_Data count(Regulations_Data)
    AS "Count of Regulations Data" SPLITROW docketId
    AS "docketId" SPLITROW docketTitle
    AS "regulation_docketTitle" SPLITROW commentStatus
    AS "regulation_comment_status" SPLITROW commentEndDateLong
    AS "regulation_comments_end_date" SPLITROW commentStartDateLong
    AS "regulation_comment_start_date" SPLITROW agency_name
    AS "agency_name" FILTER docketTitle contains $docket|s$
    | sort - regulation_comment_start_date| head 1
    </query>
  </search>
  <row>
    <panel>
      <single>
        <!-- Displays regulation_docket title --> 
        <search base="baseSearch">
          <query>
            | fields regulation_docketTitle, docketId
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>

        </search>

        <drilldown>
          <link>
            <![CDATA[ http://www.regulations.gov/#!docketDetail;D=]]>$row.docketId$
          </link>
        </drilldown>
      </single>
    </panel>
  </row>
</form>

Contextual drilldown elements

Contextual drilldown generates results to a visualization on the same dashboard. Compare to the dynamic drilldown example above, which generates drilldown results from one dashboard to a separate form. Use the <condition> element with the <drilldown>, <set>, and <unset> elements to implement contextual drilldown.

Use the <condition> element as a child of the <drilldown> element. The field attribute of the <condition> element specifies the fields whose values you want to capture. The <condition> element lets you specify different actions for the drilldown, depending on the field clicked.

Use the <set> token to assign the value from a drilldown token to another token that the target of the drilldown consumes. The <set> element is a child of the <condition> element. The <unset> element removes a token that was previously set.

Use the depends and rejects attributes of panel visualization elements to specify tokens that need to be present to display a visualization.

Basic contextual drilldown example

This example shows how a click anywhere in a row of a table passes a value to a chart on the same page. The drilldown captures the value from the first column in the clicked row to pass to the chart. The chart is hidden until a user clicks on the table.

Viz inpage drilldown.png

This example uses the <set> element to set the src_type_tok to the value returned from the $click.value$ drilldown token, which is the value from the first column in the table. See table event tokens.

The chart consumes the src_type_tok in the depends attribute to the <chart> element, the <title> element, and in the search. The depends attribute prevents the chart from displaying until a user clicks in the table. 

<dashboard>
  <label>Contextual drilldown</label>
  <row>
    <panel>
      <table>
        <title>Set sourcetype token on click</title>
        <search>
          <query>
            index=_internal | stats count by sourcetype
          </query>
          <earliest>-4h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
            <set token="src_type_tok">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel>
      <chart depends="$src_type_tok$">
        <title>Chart for $src_type_tok$</title>
        <search>
          <query>
            index=_internal sourcetype=$src_type_tok$ 
            | timechart count by sourcetype
          </query>
          <earliest>-4h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>
  </row>
</dashboard>

Contextual example from map visualization

This example show how to drill down to markers on a map visualization. The map visualization shows earthquake activity for the past month. The generated search on a map marker displays in a bar chart with details from the map data. For example, a click on the marker straddling Montana, Utah, and Wyoming generates the chart on the right.

Viz Map dynamic.png

Note: This example uses earthquake data downloaded from the USGS Earthquakes website.

The following search shows earthquake activity for incidents greater than magnitude .9.:

index=main mag > .9 | geostats latfield=latitude longfield=longitude count

The <drilldown> element sets tokens based on the bounds of a marker showing clustered locations. The captured values derive from the click.bounds.<orientation> map token. See map event tokens for details on all map tokens available for drilldown. 

<drilldown>
  <set token="bounds.north" > $click.bounds.north$</set>
  <set token="bounds.east"  > $click.bounds.east$</set>
  <set token="bounds.south" > $click.bounds.south$</set>
  <set token="bounds.west"  > $click.bounds.west$</set>
</drilldown>

The chart contains the following search, which consumes the tokens that the drilldown action generates:

index=main mag > .9 | search latitude >= $bounds.south$ latitude < $bounds.north$ longitude >= $bounds.west$ longitude < $bounds.east$ | top place

Here is the source code that implements this contextual drilldown example: 

<row>
  <panel>
    <map>
      <search>
        <query>
        index=main mag>.9 
        | geostats latfield=latitude longfield=longitude count
        </query>
        <earliest>0</earliest>
        <latest />
      </search>
      <option name="mapping.data.maxClusters">1000</option>
      <option name="mapping.drilldown">all</option>
      <option name="mapping.map.center">(39.3,-95.98)</option>
      <option name="mapping.map.zoom">4</option>
      <option name="mapping.markerLayer.markerMaxSize">40</option>
      <option name="mapping.markerLayer.markerMinSize">20</option>
      <option name="mapping.markerLayer.markerOpacity">0.9</option>
      <option name="mapping.tileLayer.maxZoom">7</option>
      <option name="mapping.tileLayer.minZoom">0</option>
      <drilldown>
        <set token="bounds.north">$click.bounds.north$</set>
        <set token="bounds.east">$click.bounds.east$</set>
        <set token="bounds.south">$click.bounds.south$</set>
        <set token="bounds.west">$click.bounds.west$</set>
      </drilldown>
      <option name="mapping.tileLayer.url">
        http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
      </option>
    </map>
  </panel>
  <panel>
    <chart>
      <title>Places</title>
      <search>
        <query>
          index=main mag>.9 | search 
          latitude >= $bounds.south$ 
          latitude &lt; $bounds.north$
          longitude >= $bounds.west$ 
          longitude &lt; $bounds.east$ 
          | top place
        </query>
        <earliest>0</earliest>
        <latest />
      </search>
      <option name="charting.chart">bar</option>
    </chart>
  </panel>
</row>

Contextual example with multiple conditions

This example sets multiple conditions for drilldown. It contains a table listing event counts for source types by log level. A click in the table generates a detail chart. The detail chart is not visible until the user drills down from the table. The content of the detail chart differs, depending on where a user clicks in the table.

  • Click the sourcetype or Total column
    The detail chart displays details for all log levels.
  • Click a log level column
    The detail chart displays details for that log level.

Viz inpage drilldown1.png


Viz inpage drilldown2.png


This example sets three conditions using the field attribute of the <condition> tag. Each condition sets token values for $s_sourcetype$ and $s_log_level$. The search in the detail chart consumes these tokens. 

   <drilldown>
     <condition field="sourcetype">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">*</set>
     </condition>
     <condition field="Total">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">*</set>
     </condition>
     <condition field="*">
       <set token="s_sourcetype">$row.sourcetype$</set>
       <set token="s_log_level">$click.name2$</set>
     </condition>
   </drilldown>

For all columns in the table, the token $s_sourcetype$ captures the value from the $row.sourcetype$ table token. This sets the value to the source type of the clicked cell.

For the sourcetype and Total columns, a click sets the $s_log_level$ token value to '*'.

For the log level columns, a click sets the $s_log_level$ token value to the value of the $click.name2$ table token. This token captures the name of the column of the clicked table cell.

The <chart> element for the detail chart sets the value of the depends attribute to $s_sourcetype$. The chart does not display until drilldown from the table sets this token.

<chart depends="$s_sourcetype$">

Here is the source code implementing this dynamic drilldown example: 

<dashboard>
  <label>Contextual Example with Multiple Conditons</label>
  <row>  
    <panel>
      <table>
        <title>Events: Source type by log level</title>
        <search>
          <query>
          index=_internal log_level=*
          | chart count over sourcetype by log_level | addtotals
          </query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition field="sourcetype">
            <set token="s_sourcetype">$row.sourcetype$</set>
            <set token="s_log_level">*</set>
          </condition>
          <condition field="Total">
            <set token="s_sourcetype">$row.sourcetype$</set>
            <set token="s_log_level">*</set>
          </condition>
          <condition field="*">
            <set token="s_sourcetype">$row.sourcetype$</set>
            <set token="s_log_level">$click.name2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
    <panel>
      <chart depends="$s_sourcetype$">
        <title>
          Events: sourcetype="$s_sourcetype$" and log_level="$s_log_level$"
        </title>
        <search>
          <query>
          index=_internal sourcetype="$s_sourcetype$"
          log_level="$s_log_level$" | timechart count
          </query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>    
  </row>
</dashboard>
Last modified on 28 June, 2017
PREVIOUS
Using a third party XML editor 		  NEXT
Dynamic drilldown in dashboards and forms

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters