If you are anything like me, the poor drilldown support in Splunk drives you up the wall. Splunk's major strength is the creativity it affords you -- given a number of command line tools, you can implement all manner of crazy reports. And for most problems,
you there's another (usually better) way of solving your problem. But bizarrely, the drilldown capability is the opposite of flexible.
Fortunately, a few months ago, everything changed. Nick (formerly of the UI team, now of Sideview Apps) released sideview_utils into splunkbase. It's a series of new modules that afford you a variety of new functionality, most significantly including dramatically improved drill down capability. Let me provide you an example workflow from my CCM app:
- User logs in and goes to main page
- User sees an unexpected caller as the most popular caller and clicks the caller's name
- User is automatically sent to the User-At-A-Glance dashboard, which show's all the details for the caller. User sees an unexpected amount of time on the phone for a particular number and clicks on it.
- User is brought to the Generic Search page with pre-populated search criteria showing that the person called this number every night at approximately 10 PM, for an hour.
- User sends off an email, then clicks back and is returned to the User-At-A-Glance dashboard to review the rest of the caller's behavior.
None of this is really possible out of the box, but with sideview_utils, it's actually pretty easy. You need to write your views in the advanced xml to make it happen, but with that, you can make all your drill down, across and back dreams possible. Check it out on splunkbase.