"To move from summary information to detailed data by focusing in on something."

--webopedia 2014

Splunk offers the ability to initiate a search by clicking on a (row in a) table or (a bar in) a chart. This search will be based on the information that you clicked on in the table or chart. This search that dives deeper into the details of a selection is known as a drilldown and is displayed in a separate window from the original search results.

As an example, we can use one of our earlier Splunk search examples (shown next):

sourcetype=csv 2014 "Current Forecast" "Direct"  "513500" |  rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity" | eval RFCST= round(FCST) | Table "Business Unit", Activity, Account, RFCST, FCST

From this search, we can get the following table visualization:

If this table is set up for a row drilldown (more on this in a minute), Splunk will move to the Search view and run the following search when you click on the first row of the panel:

sourcetype=csv 2014 "Current Forecast" "Direct"  "513500"  | rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity" | search "Business Unit"=999999 Activity=513500 Account="42000-S2S GLOBAL" FCST="3049033.736" | eval RFCST= round(FCST) | search RFCST=3049034

The preceding search then provides detailed event information based on the row selected in your original search. Note that the original transformation command (table) is removed from this detailed search, so there are no results displayed on the Statistics or Visualization tabs, as shown here:

The drilldown options

In the preceding example, I knew that the row drilldown was enabled. To view your table results' drilldown options (or change them), after you run your search, you can click on the Format menu under the Statistics tab:

Table visualizations have three drilldown options. They are:

• Row: A click on a row sets off a search across the x-axis value represented by that row
• Cell: A click on a cell launches a drill down search on both the x-axis and y-axis values represented in that cell
• None (off): This option turns off the drill down functionality for the table

Chart visualizations such as bar, column, line, area, and pie charts have two drill down options. Let's take another look at one of our previous Splunk search examples that include the chart command as shown next:

tm1* rule | chart count(date_hour) by date_wday

We can then click on the Format menu under the Visualizations tab, as shown in the following screenshot:

You can see that the two drilldown options here are:

• Yes: This option enables the drilldown functionality for the visualization. This lets you drill down on a particular part of a chart or legend by clicking on it.
• No: This option turns off the drilldown functionality for the visualization.

The basic drilldown functionality

In general, when a Splunk search involved in the creation of a table or chart uses transforming commands, the drilldown functionality removes the final transforming command and replaces it with arguments that drill down on the specific x-axis value or a combination of the values of the x and y axes caught by the click.

Row drilldowns

As shown earlier, when a table has the drilldown value of a row, you can initiate drilldown searches along all the rows by clicking on them. Let's take a look at a simple example using the following search:

sourcetype=csv 2014 "Current Forecast" "Direct"  |   rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity" | eval RFCST= round(FCST) | eventstats sum(RFCST) as total_RFCST| Table Activity, Account, total_RFCST

In this table, a row click drilldown search will concentrate on the x-axis value of the selected row, which in this case will be a value of the Activity, Account, and total_RFCST fields:

This row click sets off the following search, which finds 11 results:

sourcetype=csv 2014 "Current Forecast" "Direct"   | rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity"  | eval RFCST= round(FCST)  | eventstats sum(RFCST) as total_RFCST| search Activity=516550 Account="09996-ELIM CO 20 REV/COS" total_RFCST=1335725390

These 11 results are as shown in the following screenshot:

Note

Notice that Splunk added the search at the end for Activity=516550 Account="09996ELIM CO 20 REV/COS" total_RFCST=1335725390 and removed the transformations Table Activity, Account, and total_RFCST.

Cell drilldowns

When a table has the drilldown value of a cell, you can initiate drilldown searches for specific cells by clicking on them. As an example, we'll use a search similar to the search from the earlier command:

sourcetype=csv 2014 "Current Forecast" "Direct"  |   rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity" | eval RFCST= round(FCST) | eventstats sum(RFCST) as total_RFCST| Table Activity, Account, Version, total_RFCST

In this table, a cell click drilldown search will concentrate on a combination of the x-axis value (the value in the first column for the cell's row—in this case, 516550) and the y-axis value (the value of the cell's column we clicked on—in this case, Current Forecast):

The Splunk drilldown removes the transforming commands again (Table Activity, Account, Version, total_RFCST) and adds the new search parameters (search Activity=516550 Version="Current Forecast"):

sourcetype=csv 2014 "Current Forecast" "Direct"   | rename May as "Month" Actual as "Version" "FY 2012" as Year 650693NLR001 as "Business Unit" 100000 as "FCST" "09997_Eliminations Co 2" as "Account" "451200" as "Activity"  | eval RFCST= round(FCST)  | eventstats sum(RFCST) as total_RFCST| search Activity=516550 Version="Current Forecast"

This command yields 22 results:

The 22 search results in the Events tab

Chart drilldowns

Drilldown searches on charts (bar, column, line, area, and pie) behave differently depending on whether you click in the body of the chart (for a pie chart, you can also click on the label pointing to a slice in the pie) or in the chart legend (if a legend is displayed).

As with tables, drilldowns from charts create a (drilldown) search that is identical to the original search but without transforming commands and with an additional search term based on the x-axis value that you select in the chart.

Let's use an earlier example of a bar chart based on the following search of Cognos TM1 logs:

tm1* rule | chart count(date_hour) by date_wday

In this chart, the y-axis is the day of the week (date_wday) value, while the x-axis is the total count per hour (count(date_hour)):

If you click in the body of the chart, the drilldown search drills down on the x-axis value represented by that bar:

tm1* rule date_wday=Monday

As with the earlier table drilldown examples, this drilldown search is identical to the original search, except that the final set of transforming commands have been removed and a focus has been added on the aggregator value of date_wday.

Legends

Drilldown searches for chart legends only work when there is a split-by (or y-axis) field in the chart. For example, sometimes the legend element is something that can't really be drilled down into, and then clicks on such legend items will return an error message.