Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

<driildown_search> search query for <drilldown_name>="View all login attempts by system $src$"

Mahalaxmi
Loves-to-Learn
‎07-25-2021 10:30 PM

Hello ,

I need to frame the search query for <drilldown_search> for the following type :

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

Currently in my results have value for src, how Do I escape this '|s' in the query string.

 

Thanks,

Mahalaxmi 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-25-2021 11:01 PM

@Mahalaxmi 

Can you please share more details like, sample code block, use case , etc ??

KV

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-26-2021 11:30 PM

Hello @kamlesh_vaghela 
Use Case:
The current requirement is to fetch the base events from Contributing events for a Notable event using Splunk Search Rest API. Reference https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

As part of the Post Search action, we have rule_id & timestamp. in response <sid>(Search ID) is returned . With help of this <sid>  <drilldown> parameteres. like <drilldown_name>,<drilldown_latest>,<drilldown_earliest>,<drilldown_search> & <src> fields  we need to make search query.

My question is based on these drilldown parameters how do I make the search query for fetching the base events using  <drilldown_search>?
"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"


This is API URL for post action:
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

https://<host>:<mPort>/services/search/jobs

 Where and all fields do I need to replace the  '$src$' value and frame the query?

 

Thanks,
Mahalaxmi 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2021 11:46 PM

Can you pleas share code block of this?

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

 

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-27-2021 09:36 PM

Hello 

I doing this in Postman, passing data search value by substituting the src value as request param

| from datamodel:\"Authentication\".\"Authentication\" | search src="NAOBDSADDC01"

for single value of src.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...