Dashboards & Visualizations

Can Splunk make column values drill-downable in an emailed table?

nick405060
Motivator

Hi,

I have an email that gets sent out to our department saying "You have noncompliant servers requiring patching", using sendemail. In the email to each user is an inlined table with two columns, one being their servers requiring patching, servers, and the other being the # of patches needed per server. I would like to make servers drill-downable so that you can click the server name and then in Splunk see which patches are needed for that server.

Can Splunk make column values drill-downable in an email?

jacobpevans
Motivator

Greetings @nick405060,

I don't know a way to natively do that, but we've had success doing something like below to dynamically generate searches that show what you want. You could also do something similar to fill in tokens on a dashboard if you wanted. The [index] and [sourcetype] values are pulled from a lookup in our case.

[base search]
| eval URL= "https://192.168.0.1:8000/en-US/app/[app]/" . replace("search?earliest=-7d&latest=now&q=search%20index%3D" . [index]. "%20sourcetype%3D\"" . [sourcetype] . "\"%20host%3D" . host, ":", "%3A") . " *************************************** "

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

nick405060
Motivator

Ah, so I could create a third field in the email that is just a URL that takes you to the patches for each server. But how can I make those URLs clickable?

0 Karma

nick405060
Motivator

At least in Outlook, URLs tabled in an emailed Splunk table are automatically converted to hyperlink! So your answer mostly answers this question.

It would be nice if you could hide that URL behind a hyperlinked servers field, though, instead of having the whole huge bloody URL displayed in a third field for each server

nick405060
Motivator

Not a complete fix on this, but I was able to make that URL (a little) less huge by linking to this small-URL'd search:

| savedsearch "patching_lookup" server="MYHOSTNAME"

... which just calls the much longer savedsearch

jacobpevans
Motivator

Smart! I like it.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

nick405060
Motivator

For an even shorter URL (and overall simpler implementation): call a macro with parameters in your URL.

https://splunk.MYDOMAIN.com/en-US/app/MYAPP/search?q=search%20%60MYMACRO(MYSERVER)%60

nick405060
Motivator
0 Karma

jacobpevans
Motivator

Don't forget to mark an answer as accepted for future Splunkers having the same problem (even if that answer is your own).

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

nick405060
Motivator

Since the question is "can Splunk make column values drill-downable", I think an accepted answer would be one that makes the servers column drill-downable. Although, your answer of creating a URL column is obviously very relevant (and possibly the best workaround, because you might not actually be able to do what the question is asking)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...