Splunk Drilldown Dashboards for Better Interaction

  By: David Sitzes  |  Splunk Consultant

The global pandemic has drastically shifted the methods we use to interact and communicate. Organizations have even shifted their entire workforce to allow for remote opportunities. One thing I have found to be true is the increasing importance of interaction in our evolving remote workforce. If you also have experienced this, you’re not alone…and our Splunk dashboards feel the exact same way.

A happy dashboard provides usable amounts of information at just the right time and interacts with its user to achieve their desired outcome. Rather than becoming complacent with a dashboard containing one or two bar chart outputs, we can harness the power of Splunk’s advanced drilldown functionality and achieve truly amazing interactions in one single dashboard view.

What is a Splunk drilldown?

A drilldown is a functionality within a Splunk dashboard that allows for user interaction. For example, when a user clicks a bar chart or time chart, Splunk will open a search that dives deeper into the data behind that chart column the user clicked. This functionality is often found as a default selection for users when you create a chart type visualization as shown in the example video below:

Most commonly, drilldowns are utilized to allow a dashboard visualization to open another search, report, dashboard, or even an external website. Simple drilldown functionality is very one-sided and not usually interactive. Adding tokens and event handling to dashboard functionality creates an interaction between dashboard elements that goes beyond the common one-way drilldown we often see. Event handling allows us to set or unset token values and then use those values to show or hide panels on a dashboard.

How can we make our Splunk dashboards interactive?

Let’s look at an example dashboard step-by-step:

In this scenario, we have three single value panels with a count based on log level. I’d like to add event handling that sets a token based on which single panel value I click and use that token value to filter down the time chart above them.

TIP: It’s important to note that when you set or unset token values within dashboards, a critical missed step is to initialize that token value in the dashboard xml. If a search leverages a token value as part of the search with that token initialized, the search will not run correctly.

Our dashboard still only contains one-way drilldowns with event handlers and tokens. Let’s add three more panels in a row that display the count by component based on log levels. Furthermore, we can add interaction by showing or hiding the component count panels based on which log level is selected. We will create the tokens for show comp_ [info | warn | error]. Once we click the component chart, the tokens all reset back to their original condition.

Now we have true interaction by performing the following:

  • – Use event handling to set or unset token values and also initialize the token values
  • – Use tokens as inputs to search strings
  • – Add show/hide functionality with tokens by adding “depends” statement to panel xml section

Final Cleanup

While this might be considered a good solution, the problem quickly evolves as information is added. As the number of dashboard panels increases, you also increase the potential for users to become overwhelmed with information rendering the dashboard essentially unusable. Let’s clean this dashboard up a bit by:

  • – Setting the log level token based upon the drilldown column name (or log level)
  • – Simplifying the detail panel visibility with a token called show detail
  • – Resetting the dashboard any time the two panels below the time chart are clicked

Now we have a clean, functional, and more importantly INTERACTIVE dashboard that truly leverages Splunk’s advanced drilldown functionality!

References:

Contact us for more help on Splunk drilldowns and dashboards!