Drill down on table row or cell information
After running a transforming search that returns a table in the Statistics tab, click on a row or cell of that table to run different kinds of secondary drilldown searches.
The following drilldown search actions focus on the field-value pairs represented by a table row or cell.
| Drilldown action | Description | Time range | Result |
|---|---|---|---|
| View events | Run a search that shows only the events from the original dataset that include the field-value pairs. Discard all piped search commands. | Same as the original search, unless you are clicking on a cell or row that represents a specific span of time, in which case the drilldown search uses that span as its time range. | An event list similar to the one returned by the original search, filtered to include only events that have the field-value pairs. |
| Other events | Run a search that shows only the events from the original dataset that do not include the field-value pairs. Discard transforming search commands and any commands that follow them. | Same as original search. | An event list similar to the one from the original search, filtered to include only events that do not have the field-value pairs. |
| Exclude from results | Rerun the original search including all piped search commands. Omit events that include the field-value pair. | Same as original search. | A table similar to the one returned by the original search, minus events containing the field-value pair. |
| New search | Run a new search that focuses exclusively on the field-value pair. No additional values or search commands are included. | Same as original search. | A list of all events within the time range that have the field-value pair. |
| Narrow to this time range | Rerun the original search including all piped search commands. | The time range represented by the selected row or cell. | A table similar to the one returned by the original search, but only for events that fall within the time range represented by the clicked row. The new table is broken out into rows representing time spans within the new time range. |
Run a drilldown search on a table row or cell
1. In the Search & Reporting app, run a transforming search or report that returns a table in the Statistics tab.
2. Click Format and select the appropriate value for Drilldown.
- Select Row if you want to run a drilldown search on a row.
- Select Cell if you want to run a drilldown search on a cell.
3. Click a table row or cell that you would like to run a drilldown search on.
- A list of drilldown search options appears. The list also indicates the field-value pairs that are the focus of the drilldown search options. The option list also indicates whether the drilldown search will use a specific time range.
- The set of options you see depends on a variety of factors. See "Drilldown search options for rows" and "Drilldown search options for cells"
4. Click a drilldown search option.
- Run the drilldown search in the current tab and replace your current search, or run the drilldown search in a new tab and leave your current search results intact. To run the search in the current tab, click the option text. To run the search in a new tab, click the Open In New Tab icon
for the option.
Drilldown search options for rows
There are two possible sets of drilldown search options for rows.
When you click on a row where the first column represents a value of _time, meaning that the row represents a timespan, you see two drilldown search options when you click on the row.
- View events
- Narrow to this time range
When you click on a row where the first column represents a field-value pair, you see these drilldown search options when you click on the row. The drilldown searches use each field-value pair represented by the row.
- View events
- Other events
Drilldown search options for cells
The set of drilldown search options you see when you click on a cell differ depending on a variety of factors.
The cell represents a timespan. When you click on a row cell that displays a value of _time, meaning that it represents a span of time, you see two drilldown search options.
- View events
- Narrow to this time range
The cell represents a split row field value. You see this for cells in tables where the columns represent fields, and you are clicking in a cell that is not in the first column. You see four drilldown search options for the field-value pair represented by the column title and the cell value.
- View events
- Other events
- Exclude from events
- New search
In addition, you see two drilldown search options for the combination of the field-value pair represented by the cell you selected and the other field-value pairs preceding it on its row.
- View events
- Other events
The cell represents a split column value. You typically see this in tables where the first column is a time range or split row field and the other columns represent values of another field. The split column cells usually contain a count or similar numeric value.
- Exclude from events (for the field-value pair represented by the column)
- View events (for the field-value pair represented by the column and the field-value pair or time range represented by the row)
The cell represents an event count or percentage and is not a split column value. You see two drilldown search options for the combination of the field-value pairs in the cells preceding this cell along its row.
- View events
- Other events
Drilldown searches for charts and visualizations
You can also click on elements of charts and visualizations to run drilldown searches. For more information see Use drilldown for dashboard interactivity in Dashboards and Visualizations.
| Compare hourly sums across multiple days | Open a non-transforming search in Pivot to create tables and charts |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Download manual
Feedback submitted, thanks!