Solved: How to use drill-downs using whole field values?

memarshall63 · ‎03-11-2019

I coded this drill down from my panel:

    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval base = "www.google.com" 
| eval full = "http://www.google.com"
| eval word = "google"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">$row.full$</link>
        </drilldown>
      </table>
    </panel>

I want the drill down to go to the full URL that's in $row.full$. However, Splunk seems to assume this is a relative path. If I use

        <drilldown>
          <link target="_blank">http://$row.base$</link>
        </drilldown>

It works as expected. The field I want to use as a target URL has the full path in it. So I'd rather just use $row.full$ as the target.

Is there a way to tell splunk it's a full URL?

niketn · ‎03-11-2019

@memarshall63 try with Token Filter |n which means no filter on existing token.

      <link target="_blank">$row.full|n$</link>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-11-2019

@memarshall63 try with Token Filter |n which means no filter on existing token.

      <link target="_blank">$row.full|n$</link>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

memarshall63 · ‎03-12-2019

Nice. Thanks very much.

How to use drill-downs using whole field values?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases