Blog

Now You See It, Now You Don’t! Creating Drilldowns That Toggle In Your Splunk Dashboards

By Marvin Martinez, Team Lead, Security Automation

Splunk dashboards are admittedly amazing! You can display data in different contexts and levels of granularity as you see fit. One classic combination is having a single-value panel to display a high-level roll-up metric in the form of a single number and then allowing the user to click on the value to display the events/data that make up that value in a separate drilldown that usually displays in one of two ways:

A separate tab that is either just the straight raw search in a search window in Splunk or a dashboard built to display that search with the additional detail, OR

A separate panel underneath that is revealed to display the additional data as needed.

The first option is the simplest one and may usually suffice for simple or personal use cases. The second option is definitely nicer, more robust, and can be a great visual for users that like to have all of their data in one place. That being said, there’s one flaw with having an inline panel that opens up to display the context like that: if you have an already robust dashboard with various panels for other data, the newly revealed panel is usually a visual hindrance on the rest of the dashboard. Wouldn’t it be easy to just be able to toggle the drilldown panel on and off from the same panel that generates the drilldown? That’s what this blog is for!

On to the setup! Let’s start with a quick synopsis of what’s needed. At a high level, you’ll need the following:

A single-value panel (or any other panel that you want to use as a drilldown origin)

A defined token that will be used to hide/display the drilldown panel as needed

A drilldown panel ready to display the necessary data with a depends leveraging the token defined above.

Let’s start with a sample dashboard. Below you will see a test dashboard with a few single-value panels in the first row. The “Green Number” panel has a drilldown configured to display all the 1,438 events that led to that number. Notice how the dashboard is already quite full of information as it is so another panel displaying many lines of context, while useful, wouldn’t exactly make this dashboard prettier.

After clicking the “Green Number” value, the drilldown panel shows up underneath (as shown below). This is great! The user can see the context behind the 1,431 single value directly underneath the panel without having to click away to a new tab. However, that panel now makes the dashboard that much busies and a user using the dashboard may want to be able to re-hide that panel to continue viewing other data in the dashboard. This is where the toggle capability can come in handy and be a great feature to add into your dashboard!

In order to be able to hide/display your drilldown panel, you need to add a “depends” attribute to your panel node, as shown below:

<row> 

    <panel depends="$tok_show_drilldown$"> 

      <table> 

        <title>Details</title> 

        <search base="base_metrics_filtered"> 

          <query>…DRILLDOWN QUERY…</query> 

        </search> 

        <option name="drilldown">cell</option> 

        <option name="refresh.display">progressbar</option>         

      </table> 

    </panel> 

  </row>

The token used to display the drilldown panel is “tok_show_drilldown”. This is the token we will use to toggle the panel on and off from the single-value panel. Let’s set that up now.

<panel> 

      <single> 

        <title>Green Number</title> 

        <search base="base_metrics_filtered"> 

          <query>…ORIGINAL SEARCH | stats countquery> 

        </search> 

        <option name="colorMode">block</option> 

        <option name="drilldown">all</option> 

        <option name="rangeColors">["0x53a051","0x53a051"]</option> 

        <option name="rangeValues">[0]</option> 

        <option name="refresh.display">progressbar</option> 

        <option name="useColors">1</option> 

        <drilldown> 

          <condition match="len($tok_show_drilldown$) = 4"> 

            <set token="comp_message"></set> 

            <unset token="tok_show_drilldown"></unset> 

          </condition> 

          <condition match="1=1"> 

            <set token="tok_show_drilldown">true</set> 

            <set token="comp_message">(click again to close drilldown)</set> 

          </condition> 

        </drilldown> 

      </single> 

    </panel>

Setting up the toggle, as you can see, stems from setting up a careful conditional on your drilldown! In your drilldown configuration, add two condition nodes. The first one will be driven by a match rule to check if the tok_show_drilldown token is already set and has a value of “true” (length = 4, in this case). If so, it will unset the token and also set a token named comp_message to have an empty string (more on this in a bit). The second condition will be the “default” case (1=1). It will set the drilldown to true so that the drilldown panel displays and set the comp_message token to contain the string “(click again to close drilldown)”.

This setup allows the user to click the same panel to toggle the drilldown on or off as needed. Additionally, because of how we set up the comp_message token, we can use that in the title of the panel as shown below so that, when the user clicks to display the drilldown, the panel will also include a message informing the user that they can click the panel again to hide it back.

This is how it looks once saved:

Once you click again and the drilldown disappears, so, too, will the message as well because of how we set up the conditions on our panel!

Now, you can enable your users to open and hide useful drilldown panels as they see fit without hindering the user experience on the rest of the dashboard and your dashboard presents as that much smarter!

Need help optimizing Splunk for your team? See how TekStream can help.

About the Author

Marvin Martinez has nearly 20 years of combined experience in software and workflow development and nearly 5 years as a Splunk Core Certified Consultant and certified SOAR developer, most recently operating as a team lead on the MDR (Managed Detection and Recovery) team and leading a team of SOAR developers to architect, administer, design, develop and enhance automation playbooks and activities as part of the incident resolution process with Splunk SOAR.

For the first 15 years of his career, he was primarily focused on Inspyrus Invoice Automation installation, design and configuration, including PL/SQL, Workflow Forms Recognition (WFR), Oracle Enterprise Capture, EBS/JDE/Fusion integration, and BPEL/BPM development, as well as working within and managing Oracle Cloud Infrastructure (OCI) and ancillary BPEL/BPM development and becoming a certified OCI Architect Associate and AWS Developer Associate.

Marvin has a proven track record of being motivated, technologically agile, quick and eager to learn, efficiently productive, and an effective communicator, able to work proficiently as part of a team as well as independently/remotely.