Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search events of subsearch in append displays both subsearch and parent search events

mmengu416
New Member
‎09-19-2019 07:00 AM

Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message 
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]

Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this

My Issue is:
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this 

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"

Why I am getting the eval search in the search events?? how to get rid of that in search events??

message count
account error: primary account number is null   5
account error : account not found in abc    26
account error : xyz field missing in abc claims 5
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 12:41 PM

If this search is in a dashboard you can define a drilldown search that uses any query you want. Otherwise, I believe Splunk assumes your click is a refinement of the original search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mmengu416
New Member
‎09-20-2019 05:15 AM

hey @richgalloway, Thank you for your response. How do I define a drill down search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2019 06:43 AM

Edit the dashboard. Click the triple-dot icon on the panel and select "Edit Drilldown". Select "Link to search", click Custom, then enter the search you want the drilldown to perform.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...