- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Splunk ESS: Why does drilldown notable not working...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk ESS: Why does drilldown notable not working?
Hi everyone,
I have a specific question for all of you.
In Splunk ESS I created a correlation search and a notable for the monitoring Incident Review section.
I have set up a specific notable with drilldown to which I pass a field of the CS (Corralation Search) to perform the specific search and display via the Statistics tab.
Corralation Search:
index=* (statusCode=4* OR statusCode=5*)
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID
Notable Drilldown
index=* (statusCode=4* OR statusCode=5*)
| search sourceIp="$sourceIp$"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID
When I open the drilldown from the Notable screen, the following query is returned:
index=* (statusCode=4* OR statusCode=5*)
| search sourceIp="$sourceIp$"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID
Instead of:
index=* (statusCode=4* OR statusCode=5*)
| search sourceIp="129.12.x.x"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID
Why is the $sourceIp$ field not recognized and replaced with the IP address of the CS so that it can perform a specific search?
What is the error?
Thank you all!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @saveriobocca , just confirming, on your first search (Correlation Search) you have renamed sourceIp to SourceIp. Have you tried using "$SourceIp$" instead of "$sourceIp$" on your drilldown search?
Field names are case-sensitive, so if the token is generated as SourceIp on the correlation search it needs to be the same way on the drilldown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @alonsocaio thank you for the response.
Yes, after this I tried to write the variable like this "$SourceIp$" but it doesn't work again.
What do you think it could be?
It almost seems that the value is not passed to the variable.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
