Link to a search
You can create a drilldown that links users to search results for a clicked value. Users can view events to get more information on the value that they click.
How linking to a search works
Linking to a search lets users explore additional fields, values, and other data related to the value they click. You can use a default search or customize the search that opens on a user click.
Use the default search
A secondary search generates automatically to show more information about the clicked value. This search is similar to the search driving the source visualization but generates results that are more specific to the clicked value.
Customize the search
You can customize the secondary search to generate different results. For example, you might want to show results for a separate data set or include different fields or commands in the search string.
You can use predefined tokens to include the clicked value in the search.
Example
This column chart shows event counts by sourcetype over the last week.
The chart is generated using the following search string.
index = _internal | stats count by sourcetype
Drilldown linking to a default search is enabled on the chart. If a user clicks the mongod
sourcetype column in the chart, a secondary search opens. This search removes aggregations and generates an events list for the mongod
sourcetype value.
Users can explore details for the mongod
sourcetype that were not available in the column chart.
Configure the drilldown in the drilldown editor
You can use the drilldown editor to enable drilldown and configure linking to a search.
To create conditional or other advanced behaviors in a drilldown, use Simple XML. An error message appears if you access the drilldown editor in panels with existing advanced configurations.
Prerequisites
Some default drilldown settings are new in software version 6.6.0. Review drilldown defaults and customization in Use drilldown for dashboard interactivity.
Steps
- From the dashboard where you want to configure drilldown, click Edit to open the dashboard editor.
- Find the panel where you are configuring drilldown. Click the additional options button and select Edit drilldown.
- Select Link to search.
- Select a search type.
- "Auto" generates a default search to remove aggregations and filter for values from the clicked element.
- Select "Custom" to input a search string and time range.
- (Optional) Opt to open the search in a new browser tab.
- Click Apply to apply the drilldown settings.
- Click Save to save your dashboard changes.
Configure the drilldown in Simple XML
Click Edit to open the dashboard editor and click Source to access Simple XML source code.
Drilldown defaults and customization
Some default drilldown settings are new in software version 6.6.0. Review drilldown defaults and customization in Use drilldown for dashboard interactivity.
Enable the drilldown
Find the <option name="drilldown">none</option>
element in the visualization. Change the option to enable and focus the drilldown. For example, in a table visualization, use <option name="drilldown">cell</option>
to enable drilldown on table cells.
Once enabled, the drilldown links to a default search in the same browser tab.
Search syntax
Default search
Use the Simple XML <option>
for the visualization where you are enabling drilldown. For example, the following source code in a bubble chart adds a drilldown linking to a search.
<option name="charting.drilldown">all</option>
Check the Simple XML Reference to review the <option>
name and syntax to use for each visualization.
Custom search
In your dashboard source code, add the <drilldown>
element to customize the linked search.
This example uses the target
attribute to open the search in a new browser tab. The drilldown links to the search
page and uses the q
parameter to pass in the custom search string.
<drilldown> <link target="_blank">search?q=index=_internal | stats count by sourcetype</link> </drilldown>
Link to custom search example
You can customize a drilldown to change the results that users see when the secondary search opens.
Default search
This search generates a table aggregating customer actions on a retail website.
source="my_retail_data_source" | stats count by action
Drilldown linking to a default search is enabled in the table. The default search removes the aggregation by sourcetype and filters events for the selected sourcetype column. If a user clicks on the addtocart
action, the following secondary search opens.
source="my_retail_data_source" action="addtocart"
The default search filters results for the selected action. You might want to show more specific details. To override this default behavior, create a custom secondary search in the drilldown editor or in Simple XML.
Customizing the search
Customize the drilldown search to show users more information about the products involved in customer actions. The following search string uses the $click.value2$
predefined token to capture the action that users click and filter product counts for it.
source="my_retail_data_source" action=$click.value2$ | stats count by productId
Customizing the search in the drilldown editor
In the drilldown editor, you can change the default search to a custom search. Input the search string and configure time range parameters as needed.
Customizing the search in Simple XML
You can use Simple XML to create the same custom search behavior. In the table visualization element, add the following source code.
<drilldown> <link target="_blank">search?q=source="my_retail_data_source" action=$click.value2$ | stats count by productId</link> </drilldown>
The drilldown uses the $click.value2$
predefined token to capture the action that users click and use it in the search.
You can add custom time range parameters to the search. Use the <![CDATA[]]>
wrapper or HTML character entities to escape the &
ampersand or other special characters.
This example sets the time range for the last twenty-four hours.
<drilldown> <link target="_blank"> <![CDATA[ search?q=source="my_retail_data_source" action=$click.value2$ | stats count by productId&earliest=-24h@h&latest=now ]]> </link> </drilldown>
For more syntax details, see the <link>
element in the Simple XML Reference.
Use drilldown for dashboard interactivity | Link to a dashboard |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!