Dashboards & Visualizations

Search events of subsearch in append displays both subsearch and parent search events

mmengu416
New Member

Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message 
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]

Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this

My Issue is:
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this

sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"

Why I am getting the eval search in the search events?? how to get rid of that in search events??

message count
account error: primary account number is null   5
account error : account not found in abc    26
account error : xyz field missing in abc claims 5
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If this search is in a dashboard you can define a drilldown search that uses any query you want. Otherwise, I believe Splunk assumes your click is a refinement of the original search.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

mmengu416
New Member

hey @richgalloway, Thank you for your response. How do I define a drill down search?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Edit the dashboard. Click the triple-dot icon on the panel and select "Edit Drilldown". Select "Link to search", click Custom, then enter the search you want the drilldown to perform.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!