Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Drilldown Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search table that lists user ids in the form of [domain][userid] and a numeric value. There is a drilldown set on the user id that opens a new search where the user id becomes the search value. The problem is that when the new search opens I have to manually replace the single '\' with '\' so the search will run.
Drilldown search looks like this:
index="pan" user="$row.user$" | stats count by http_category | sort -count
Where $row.user$ is the carried forward value (eg uni\3333333) and is what I have to manually correct to uni\3333333.
Is there a way that I can have this manual correction made automatically as part of the drilldown search string.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @balcv,
I suppose your drilldown looks like this:
<table>
<search>
...
</search>
<drilldown>
<link target="_blank">search?q=index=pan%20user=%22$row.user$%22</link>
</drilldown>
You can use eval expressions in drilldowns. Here is a similar question: How do you use eval in XML drilldown?
So this should work:
<drilldown>
<eval token="usertoken">replace($row.user$,"\\\\","\\\\")</eval>
<link target="_blank">search?q=index=pan%20user=%22$usertoken$%22</link>
</drilldown>
The additional backslashes in the replace function are required for escaping the actual backslashes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @balcv,
I suppose your drilldown looks like this:
<table>
<search>
...
</search>
<drilldown>
<link target="_blank">search?q=index=pan%20user=%22$row.user$%22</link>
</drilldown>
You can use eval expressions in drilldowns. Here is a similar question: How do you use eval in XML drilldown?
So this should work:
<drilldown>
<eval token="usertoken">replace($row.user$,"\\\\","\\\\")</eval>
<link target="_blank">search?q=index=pan%20user=%22$usertoken$%22</link>
</drilldown>
The additional backslashes in the replace function are required for escaping the actual backslashes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. Thank you. I did have to make one alteration to the code you provided and that was replace the %22 and %20 with the actual characters, but other than that, this is exactly what I needed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
