Dashboards & Visualizations

Search events of subsearch in append displays both subsearch and parent search events

mmengu416
New Member

Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message 
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]

Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this

My Issue is:
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"

Why I am getting the eval search in the search events?? how to get rid of that in search events??

message count
account error: primary account number is null   5
account error : account not found in abc    26
account error : xyz field missing in abc claims 5
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If this search is in a dashboard you can define a drilldown search that uses any query you want. Otherwise, I believe Splunk assumes your click is a refinement of the original search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mmengu416
New Member

hey @richgalloway, Thank you for your response. How do I define a drill down search?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Edit the dashboard. Click the triple-dot icon on the panel and select "Edit Drilldown". Select "Link to search", click Custom, then enter the search you want the drilldown to perform.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...