Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ESS: Why does drilldown notable not working?

saveriobocca
Loves-to-Learn Lots
‎01-22-2021 03:06 AM

Hi everyone,
I have a specific question for all of you.

In Splunk ESS I created a correlation search and a notable for the monitoring Incident Review section.

I have set up a specific notable with drilldown to which I pass a field of the CS (Corralation Search)  to perform the specific search and display via the Statistics tab.

Corralation Search:

 

index=* (statusCode=4* OR statusCode=5*)  
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

 

Notable Drilldown

 

index=* (statusCode=4* OR statusCode=5*)  
| search sourceIp="$sourceIp$"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

 

When I open the drilldown from the Notable screen, the following query is returned:

 

index=* (statusCode=4* OR statusCode=5*) 
| search sourceIp="$sourceIp$" 
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID" 
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

 

Instead of:

 

index=* (statusCode=4* OR statusCode=5*)  
| search sourceIp="129.12.x.x"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

 

Why is the $sourceIp$ field not recognized and replaced with the IP address of the CS so that it can perform a specific search?

What is the error?

Thank you all!

Labels (2)
Labels
0 Karma
Reply

alonsocaio
Contributor
‎01-22-2021 09:23 AM

Hey @saveriobocca , just confirming, on your first search (Correlation Search) you have renamed sourceIp to SourceIp. Have you tried using "$SourceIp$" instead of "$sourceIp$" on your drilldown search?

Field names are case-sensitive, so if the token is generated as SourceIp on the correlation search it needs to be the same way on the drilldown.

0 Karma
Reply

saveriobocca
Loves-to-Learn Lots
‎01-22-2021 01:57 PM

Hi @alonsocaio  thank you for the response.

Yes, after this I tried to write the variable like this "$SourceIp$" but it doesn't work again.

What do you think it could be?
It almost seems that the value is not passed to the variable.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...