SPLK-1004 Adding Drilldowns
Adding Drilldowns
Detailed list of SPLK-1004 knowledge points
- + Exploring Statistical Commands
- + Exploring eval Command Functions
- + Exploring Lookups
- + Exploring Alerts
- + Advanced Field Creation and Management
- + Working with Self-Describing Data and Files
- + Advanced Search Macros
- + Using Acceleration Options: Reports and Summary Indexing
- + Using Acceleration Options: Data Models and tsidx Files
- + Using Search Efficiently
- + More Search Tuning
- + Manipulating and Filtering Data
- + Working with Multivalued Fields
- + Using Advanced Transactions
- + Working with Time
- + Using Subsearches
- + Creating a Prototype
- + Using Forms
- + Improving Performance
- + Customizing Dashboards
- + Adding Drilldowns
- + Adding Advanced Behaviors and Visualizations
Adding Drilldowns Detailed Explanation
1. What is a Drilldown?
A drilldown is a feature that allows users to click on a table row, chart bar, or other visualization element and trigger an action based on the clicked value.
Typical drilldown actions include:
Setting a token to filter another panel
Opening a different dashboard or search page
Displaying detailed information based on a selected item
Drilldowns help guide users from a summary view to a more specific or detailed analysis, which is key in exploratory dashboards and operational monitoring.
2. Syntax Example
Drilldowns are configured inside dashboard XML (Classic Dashboards) or within the visual editor (Dashboard Studio). In XML, you can use the <drilldown> tag to set a token based on what the user clicks.
Example (Classic Dashboard XML):
<drilldown>
<set token="selected_user">$click.value$</set>
</drilldown>
Explanation:
$click.value$is a predefined variable containing the value of the clicked element.selected_useris the token name that you can then reference in another search or panel.
You can also use:
$click.name$: the field name clicked (e.g., "user")$row.<fieldname>$: the value in a table row for the specified field
Example in Table Context:
<drilldown>
<set token="selected_host">$row.host$</set>
</drilldown>
Here, when a user clicks a row in a table, the value of the host field in that row will be saved into the selected_host token.
3. Use Cases
Drilldowns are extremely useful for creating multi-layered dashboards that allow users to explore data by clicking through summary views into detailed panels.
a) Click a Chart Bar to Filter a Table
Scenario:
You have a bar chart showing event count by region.
When the user clicks a bar labeled “US-East”, a table below updates to show all users in that region.
How:
<drilldown>
<set token="selected_region">$click.value$</set>
</drilldown>
<!-- Table panel uses -->
<query>index=main region=$selected_region$</query>
b) Click a Table Row to Show User Details
Scenario:
A table lists users and login counts.
Clicking a row shows login history or error patterns for that user in a new panel.
How:
<drilldown>
<set token="selected_user">$row.user$</set>
</drilldown>
<!-- Details panel -->
<query>index=auth_logs user=$selected_user$</query>
c) Open Another Dashboard with Parameters
You can also use drilldowns to navigate to another dashboard and pass context via tokens.
Example:
<drilldown>
<link>
<![CDATA[
/app/search/user_detail_dashboard?form.user=$row.user$
]]>
</link>
</drilldown>
This opens a second dashboard and passes the user field as a form token.
Summary Table: Drilldown Features
| Feature | Description |
|---|---|
| What is Drilldown | Click interaction that triggers tokens or links |
| Token Example | <set token="x">$click.value$</set> |
| Chart Use Case | Click bar to filter table by region |
| Table Use Case | Click row to show detailed logs or behavior |
| Cross-dashboard Navigation | Link to another dashboard with tokenized URL parameters |
Adding Drilldowns (Additional Content)
1. Setting Multiple Tokens in a Single Drilldown
In more advanced dashboard interactions, it’s common to assign multiple tokens when a user clicks a single table row or chart element. This enables richer inter-panel communication and data filtering.
Example:
<drilldown>
<set token="selected_user">$row.user$</set>
<set token="selected_role">$row.role$</set>
</drilldown>
In this example:
$row.user$and$row.role$are extracted from the clicked table row.Both tokens can then be used in different panels to filter content or display user-specific information.
This pattern is especially helpful when constructing user profiles, audit views, or role-based visualizations.
2. Clearing Tokens Using <unset>
Drilldowns can also include an <unset> tag to clear tokens when needed. This is useful in scenarios where a user deselects a value or clicks on a blank chart area.
Example:
<drilldown>
<unset token="selected_user"></unset>
</drilldown>
This will:
Remove the
selected_usertoken entirely.Hide or reset any panels that depend on that token (if configured using
<depends>).
This helps avoid data confusion, especially in dashboards where old token values could accidentally influence new results.
3. Drilldowns in Dashboard Studio (vs. Classic XML)
While Classic Dashboards require XML-based <drilldown> configuration, Dashboard Studio offers a visual UI for setting up drilldowns.
Key Differences:
Classic Dashboards use XML to define
<drilldown>,<set>,<unset>, etc.Dashboard Studio lets you:
Click on a visualization and select “Drilldown” from the side panel.
Choose from in-place filtering, token setting, or dashboard navigation.
Set token value targets through drop-downs and logic builders.
Reminder: Drilldowns in Studio do not require XML editing and are typically configured visually through the dashboard editor.
4. Panel Visibility Controlled by Token-Driven Drilldown
Drilldowns often trigger panel visibility through token conditions, allowing for progressive disclosure of data.
Example:
<drilldown>
<set token="selected_user">$row.user$</set>
</drilldown>
<panel depends="selected_user">
<title>User Detail for $selected_user$</title>
<search>
<query>index=auth user=$selected_user$</query>
</search>
</panel>
This setup enables:
A panel to remain hidden until a user is selected.
On click, the selected token is set, and the panel appears with detailed results.
A responsive, intuitive interface where the screen changes based on user interaction.
This is a commonly used pattern in executive dashboards, investigative workflows, and drill-through reporting.
5. Security Note: Preventing Token Injection Attacks
When tokens are set by user input, URL parameters, or drilldown values, unescaped tokens may introduce security risks like SPL injection.
Best Practice: Use Escaped Tokens
Use escaped token syntax when injecting token values into SPL:
<query>index=web user="$selected_user|s$"</query>
The |s suffix escapes the value properly, preventing unintended SPL behavior or injection.
This is especially important if:
The token value comes from URL parameters
Users click on values that contain special characters
The dashboard is exposed to multiple users with different privileges
Always sanitize and escape tokens to ensure reliable and secure dashboard behavior.
Summary: Advanced Drilldown Patterns
| Topic | Description |
|---|---|
| Multiple Token Set | Use multiple <set token="..."> inside a single <drilldown> |
| Clearing State | Use <unset> to remove tokens when no selection is present |
| Studio Drilldown | Configured through visual UI, supports filtering, linking, and token setting |
| Token-Controlled Visibility | Use <depends> on panels to show/hide based on token existence |
| Security Consideration | Use `$token |
Frequently Asked Questions
What is the basic purpose of a drilldown in a Splunk dashboard?
A drilldown lets user interaction on one visualization trigger a more detailed view, action, or navigation path.
This turns a dashboard from passive reporting into interactive analysis. The exam usually tests whether you recognize drilldowns as event-driven transitions based on clicked values, rows, or visual elements. If the requirement says “click to see more detail” or “use the selected value elsewhere,” drilldown is the correct conceptual answer. A common mistake is thinking drilldowns are only links; they are dynamic interactions powered by context and tokens.
Demand Score: 75
Exam Relevance Score: 93
Why are predefined tokens important in drilldown configuration?
Because they provide the clicked context, such as row, value, or series information, needed to drive the next step.
Without the correct token, the drilldown may fire but pass the wrong value or no useful value at all. The exam often hides this behind a symptom like “the page opens, but the wrong data is shown.” That usually points to token selection or mapping. If the prompt emphasizes passing clicked context, predefined tokens should be part of your reasoning immediately.
Demand Score: 74
Exam Relevance Score: 92
What makes a drilldown “dynamic”?
It adapts its target or behavior based on the specific value the user clicked.
A static link is the same every time. A dynamic drilldown changes the destination search, dashboard state, or URL parameters based on event context. The exam distinction matters because the blueprint explicitly calls out dynamic drilldowns. If the scenario says the clicked slice, row, or point should determine what happens next, dynamic drilldown is the intended concept. The common mistake is configuring navigation without actually using the clicked context.
Demand Score: 73
Exam Relevance Score: 90
Why do drilldowns fail so often even when the visualization itself looks correct?
Because drilldowns depend on token names, event context, and configuration details that are separate from the chart rendering.
A panel can display data perfectly while still passing the wrong field or no field at all. That is why drilldown troubleshooting often focuses on event handlers and token inspection rather than search correctness. The exam rewards recognizing that interactivity has its own configuration layer. If the question is about a click action not working, think tokens and drilldown settings before rewriting the base search.
Demand Score: 71
Exam Relevance Score: 87
