Can Splunk make column values drill-downable in an...

nick405060 · ‎10-07-2019

Hi,

I have an email that gets sent out to our department saying "You have noncompliant servers requiring patching", using sendemail. In the email to each user is an inlined table with two columns, one being their servers requiring patching, servers, and the other being the # of patches needed per server. I would like to make servers drill-downable so that you can click the server name and then in Splunk see which patches are needed for that server.

Can Splunk make column values drill-downable in an email?

jacobpevans · ‎10-07-2019

Greetings @nick405060,

I don't know a way to natively do that, but we've had success doing something like below to dynamically generate searches that show what you want. You could also do something similar to fill in tokens on a dashboard if you wanted. The [index] and [sourcetype] values are pulled from a lookup in our case.

[base search]
| eval URL= "https://192.168.0.1:8000/en-US/app/[app]/" . replace("search?earliest=-7d&latest=now&q=search%20index%3D" . [index]. "%20sourcetype%3D\"" . [sourcetype] . "\"%20host%3D" . host, ":", "%3A") . " *************************************** "

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

nick405060 · ‎10-07-2019

Ah, so I could create a third field in the email that is just a URL that takes you to the patches for each server. But how can I make those URLs clickable?

nick405060 · ‎10-07-2019

At least in Outlook, URLs tabled in an emailed Splunk table are automatically converted to hyperlink! So your answer mostly answers this question.

It would be nice if you could hide that URL behind a hyperlinked servers field, though, instead of having the whole huge bloody URL displayed in a third field for each server

nick405060 · ‎10-07-2019

Not a complete fix on this, but I was able to make that URL (a little) less huge by linking to this small-URL'd search:

| savedsearch "patching_lookup" server="MYHOSTNAME"

... which just calls the much longer savedsearch

jacobpevans · ‎10-08-2019

Smart! I like it.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

nick405060 · ‎10-08-2019

For an even shorter URL (and overall simpler implementation): call a macro with parameters in your URL.

https://splunk.MYDOMAIN.com/en-US/app/MYAPP/search?q=search%20%60MYMACRO(MYSERVER)%60

nick405060 · ‎10-08-2019

Or link to a dashboard

https://splunk.MYDOMAIN.com/en-US/app/MYAPP/drilldown?form.MYTOKEN=MYSERVER

jacobpevans · ‎10-09-2019

Don't forget to mark an answer as accepted for future Splunkers having the same problem (even if that answer is your own).

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

nick405060 · ‎10-09-2019

Since the question is "can Splunk make column values drill-downable", I think an accepted answer would be one that makes the servers column drill-downable. Although, your answer of creating a URL column is obviously very relevant (and possibly the best workaround, because you might not actually be able to do what the question is asking)

Can Splunk make column values drill-downable in an emailed table?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!