Drilldown on a Single Value Field in Splunk

By default you can’t drill down on a single value field visualisation in a splunk view if you are using a rangemap to change colours.

eg: rangemap field=count low=0-0 default=elevated

This can be circumvented with the following addition to the XML in the dashboard (thankfully this works in simplified XML):

      <option name="linkFields">result</option>
      <option name="linkSearch">
        search index=main c_msg_severity=0   
      </option>
      <option name="linkView">flashtimeline</option>
Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *