Hi,
I have an email that gets sent out to our department saying "You have noncompliant servers requiring patching", using sendemail
. In the email to each user is an inlined table with two columns, one being their servers requiring patching, servers
, and the other being the # of patches needed per server. I would like to make servers
drill-downable so that you can click the server name and then in Splunk see which patches are needed for that server.
Can Splunk make column values drill-downable in an email?
Greetings @nick405060,
I don't know a way to natively do that, but we've had success doing something like below to dynamically generate searches that show what you want. You could also do something similar to fill in tokens on a dashboard if you wanted. The [index]
and [sourcetype]
values are pulled from a lookup in our case.
[base search]
| eval URL= "https://192.168.0.1:8000/en-US/app/[app]/" . replace("search?earliest=-7d&latest=now&q=search%20index%3D" . [index]. "%20sourcetype%3D\"" . [sourcetype] . "\"%20host%3D" . host, ":", "%3A") . " *************************************** "
Cheers,
Jacob
Ah, so I could create a third field in the email that is just a URL that takes you to the patches for each server
. But how can I make those URLs clickable?
At least in Outlook, URLs tabled in an emailed Splunk table are automatically converted to hyperlink! So your answer mostly answers this question.
It would be nice if you could hide that URL behind a hyperlinked servers
field, though, instead of having the whole huge bloody URL displayed in a third field for each server
Not a complete fix on this, but I was able to make that URL (a little) less huge by linking to this small-URL'd search:
| savedsearch "patching_lookup" server="MYHOSTNAME"
... which just calls the much longer savedsearch
Smart! I like it.
For an even shorter URL (and overall simpler implementation): call a macro with parameters in your URL.
https://splunk.MYDOMAIN.com/en-US/app/MYAPP/search?q=search%20%60MYMACRO(MYSERVER)%60
Or link to a dashboard
https://splunk.MYDOMAIN.com/en-US/app/MYAPP/drilldown?form.MYTOKEN=MYSERVER
Don't forget to mark an answer as accepted for future Splunkers having the same problem (even if that answer is your own).
Since the question is "can Splunk make column values drill-downable", I think an accepted answer would be one that makes the servers
column drill-downable. Although, your answer of creating a URL column is obviously very relevant (and possibly the best workaround, because you might not actually be able to do what the question is asking)