topic Re: <driildown_search> search query for <drilldown_name>="View all login attempts by system $src$& in Dashboards & Visualizations

search query for ="View all login attempts by system $src$"

Mahalaxmi — Mon, 26 Jul 2021 05:30:01 GMT

Hello ,

I need to frame the search query for <drilldown_search> for the following type :

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

Currently in my results have value for src, how Do I escape this '|s' in the query string.

Thanks,

Mahalaxmi

Re: search query for ="View all login attempts by system $src$"

kamlesh_vaghela — Mon, 26 Jul 2021 06:01:12 GMT

@Mahalaxmi

Can you please share more details like, sample code block, use case , etc ??

Re: search query for ="View all login attempts by system $src$&

Mahalaxmi — Tue, 27 Jul 2021 06:30:51 GMT

Hello @kamlesh_vaghela
Use Case:
The current requirement is to fetch the base events from Contributing events for a Notable event using Splunk Search Rest API. Reference https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

As part of the Post Search action, we have rule_id & timestamp. in response <sid>(Search ID) is returned . With help of this <sid> <drilldown> parameteres. like <drilldown_name>,<drilldown_latest>,<drilldown_earliest>,<drilldown_search> & <src> fields we need to make search query.

My question is based on these drilldown parameters how do I make the search query for fetching the base events using <drilldown_search>?
"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

This is API URL for post action:
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

https://<host>:<mPort>/services/search/jobs

Where and all fields do I need to replace the '$src$' value and frame the query?

Thanks,
Mahalaxmi

Re: search query for ="View all login attempts by system $src$&

kamlesh_vaghela — Tue, 27 Jul 2021 06:46:57 GMT

Can you pleas share code block of this?

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

Re: search query for ="View all login attempts by system $src$&

Mahalaxmi — Wed, 28 Jul 2021 04:36:37 GMT

Hello

I doing this in Postman, passing data search value by substituting the src value as request param

| from datamodel:\"Authentication\".\"Authentication\" | search src="NAOBDSADDC01"

for single value of src.