Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query
sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]
Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this
My Issue is:
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this
sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"
Why I am getting the eval search in the search events?? how to get rid of that in search events??
message count
account error: primary account number is null 5
account error : account not found in abc 26
account error : xyz field missing in abc claims 5
If this search is in a dashboard you can define a drilldown search that uses any query you want. Otherwise, I believe Splunk assumes your click is a refinement of the original search.
hey @richgalloway, Thank you for your response. How do I define a drill down search?
Edit the dashboard. Click the triple-dot icon on the panel and select "Edit Drilldown". Select "Link to search", click Custom, then enter the search you want the drilldown to perform.