Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search events of subsearch in append displays both subsearch and parent search events

mmengu416
New Member
‎09-19-2019 07:00 AM

Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message 
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]

Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this

My Issue is:
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this 

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"

Why I am getting the eval search in the search events?? how to get rid of that in search events??

message count
account error: primary account number is null   5
account error : account not found in abc    26
account error : xyz field missing in abc claims 5
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 12:41 PM

If this search is in a dashboard you can define a drilldown search that uses any query you want. Otherwise, I believe Splunk assumes your click is a refinement of the original search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mmengu416
New Member
‎09-20-2019 05:15 AM

hey @richgalloway, Thank you for your response. How do I define a drill down search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2019 06:43 AM

Edit the dashboard. Click the triple-dot icon on the panel and select "Edit Drilldown". Select "Link to search", click Custom, then enter the search you want the drilldown to perform.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...