whackyhack

## How to hide drilldown panels when main panel input changes?.md

      
              2 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                whackyhack
                / How to hide drilldown panels when main panel input changes?.md
            
            
              Created
              April 18, 2026 00:49
            
          
    This is from a Splunk Slack discussion.  RichFez asks:

A "real" question.  I have a text input at the top.
There are 4 panels below - the first one is a search that's based off the text input.
The other 3 are searches in lookups that are based off of a click off that base panel.
The problem is, when someone erases or starts typing in/over the text input, the other three panels should clear their results immediately and wait for later.

This demo dashboard presents a simple solution:
The dependent panel checks "When data is unavailable, hide element" under "Visibility" (containerOptions.visibility.hideWhenNoData true; default is false) to hide previously displayed panel. The "main" search includes the raw input value in the output as an internal variable, and the panel unchecks "Internal fields" under "Data display" (options.showInternalFields false; default is true) so the value is preserved but not shown to user. (User

  
## color_palette_based_on_two_values.xml
<form version="1.1" theme="light">
  <label>Color palette based on two values</label>
  <description>https://community.splunk.com/t5/Dashboards-Visualizations/Color-Palette-Expression-based-on-two-fields/m-p/757387#M59355</description>
  <fieldset submitButton="false">
    <input type="radio" token="task_pct_tok" searchWhenChanged="true">
      <label>task_pct</label>
      <choice value="0">0</choice>
      <choice value="0.5">0.5</choice>
      <choice value="1">1.0</choice>
      <default>1</default>

## Dual use of $xxx$ notation in SPL
This is a throw-away example to illustrate the difference between parameter in a SPL macro and token used in Splunk dashboards.  Because they both use the notation $xxx$, new users can get confused.  This Splunk Answers question is an example where people can view the two as interchangeable: https://community.splunk.com/t5/Splunk-Search/How-to-include-arguments-in-search-macros-with-non-alphanumeric/m-p/696444#M236694.  The confusion surfaced because some token names can contain characters that are unacceptable as macro parameters.

This gist contains two parts.  One is a dashboard that passes tokens $timepicker.earliest$ and $timepicker.latest$ into a macro.  Here, the token names happen to contain a dot that is illegal in macro parameters.  The other is the parameterized macro that uses these tokens.

But the problem is not in the dot.  The gist of the problem is that, even though in most cases Splunk populates tokens as string values before execution, in a macro, you cannot use the $xxx$ notation without d

## changed-search-missing-field.json
{
	"visualizations": {
		"viz_AD6BWNHC": {
			"type": "splunk.events",
			"dataSources": {
				"primary": "ds_4EfZYMc8"
			},
			"title": "base1",
			"description": "index=_internal",
			"showProgressBar": false,

## direct_reports.viz.spl
``` use with orgdata.emu.spl ```
``` print direct reports ```
| stats values(displayName) as directReports dc(cn) as report_count by manager

## delay.sh
#!/bin/bash
# root qdisc handle
r_handle=1
# netem qdisc handle
n_handle=2

interface=
delay=
dstip=
qdpresent=
	<form version="1.1" theme="light">
	<label>Color palette based on two values</label>
	<description>https://community.splunk.com/t5/Dashboards-Visualizations/Color-Palette-Expression-based-on-two-fields/m-p/757387#M59355</description>
	<fieldset submitButton="false">
	<input type="radio" token="task_pct_tok" searchWhenChanged="true">
	<label>task_pct</label>
	<choice value="0">0</choice>
	<choice value="0.5">0.5</choice>
	<choice value="1">1.0</choice>
	<default>1</default>
	This is a throw-away example to illustrate the difference between parameter in a SPL macro and token used in Splunk dashboards. Because they both use the notation $xxx$, new users can get confused. This Splunk Answers question is an example where people can view the two as interchangeable: https://community.splunk.com/t5/Splunk-Search/How-to-include-arguments-in-search-macros-with-non-alphanumeric/m-p/696444#M236694. The confusion surfaced because some token names can contain characters that are unacceptable as macro parameters.

	This gist contains two parts. One is a dashboard that passes tokens $timepicker.earliest$ and $timepicker.latest$ into a macro. Here, the token names happen to contain a dot that is illegal in macro parameters. The other is the parameterized macro that uses these tokens.

	But the problem is not in the dot. The gist of the problem is that, even though in most cases Splunk populates tokens as string values before execution, in a macro, you cannot use the $xxx$ notation without d
	{
	"visualizations": {
	"viz_AD6BWNHC": {
	"type": "splunk.events",
	"dataSources": {
	"primary": "ds_4EfZYMc8"
	},
	"title": "base1",
	"description": "index=_internal",
	"showProgressBar": false,
	``` use with orgdata.emu.spl ```
	``` print direct reports ```
	\| stats values(displayName) as directReports dc(cn) as report_count by manager
	#!/bin/bash
	# root qdisc handle
	r_handle=1
	# netem qdisc handle
	n_handle=2

	interface=
	delay=
	dstip=
	qdpresent=