I have an email that gets sent out to our department saying "You have noncompliant servers requiring patching", using
sendemail. In the email to each user is an inlined table with two columns, one being their servers requiring patching,
servers, and the other being the # of patches needed per server. I would like to make
servers drill-downable so that you can click the server name and then in Splunk see which patches are needed for that server.
Can Splunk make column values drill-downable in an email?
I don't know a way to natively do that, but we've had success doing something like below to dynamically generate searches that show what you want. You could also do something similar to fill in tokens on a dashboard if you wanted. The
[sourcetype] values are pulled from a lookup in our case.
[base search] | eval URL= "https://192.168.0.1:8000/en-US/app/[app]/" . replace("search?earliest=-7d&latest=now&q=search%20index%3D" . [index]. "%20sourcetype%3D\"" . [sourcetype] . "\"%20host%3D" . host, ":", "%3A") . " *************************************** "
At least in Outlook, URLs tabled in an emailed Splunk table are automatically converted to hyperlink! So your answer mostly answers this question.
It would be nice if you could hide that URL behind a hyperlinked
servers field, though, instead of having the whole huge bloody URL displayed in a third field for each server
Not a complete fix on this, but I was able to make that URL (a little) less huge by linking to this small-URL'd search:
| savedsearch "patching_lookup" server="MYHOSTNAME"
... which just calls the much longer savedsearch
Smart! I like it.
Don't forget to mark an answer as accepted for future Splunkers having the same problem (even if that answer is your own).
Since the question is "can Splunk make column values drill-downable", I think an accepted answer would be one that makes the
servers column drill-downable. Although, your answer of creating a URL column is obviously very relevant (and possibly the best workaround, because you might not actually be able to do what the question is asking)