Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

<driildown_search> search query for <drilldown_name>="View all login attempts by system $src$"

Mahalaxmi
Loves-to-Learn
‎07-25-2021 10:30 PM

Hello ,

I need to frame the search query for <drilldown_search> for the following type :

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

Currently in my results have value for src, how Do I escape this '|s' in the query string.

 

Thanks,

Mahalaxmi 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-25-2021 11:01 PM

@Mahalaxmi 

Can you please share more details like, sample code block, use case , etc ??

KV

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-26-2021 11:30 PM

Hello @kamlesh_vaghela 
Use Case:
The current requirement is to fetch the base events from Contributing events for a Notable event using Splunk Search Rest API. Reference https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

As part of the Post Search action, we have rule_id & timestamp. in response <sid>(Search ID) is returned . With help of this <sid>  <drilldown> parameteres. like <drilldown_name>,<drilldown_latest>,<drilldown_earliest>,<drilldown_search> & <src> fields  we need to make search query.

My question is based on these drilldown parameters how do I make the search query for fetching the base events using  <drilldown_search>?
"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"


This is API URL for post action:
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

https://<host>:<mPort>/services/search/jobs

 Where and all fields do I need to replace the  '$src$' value and frame the query?

 

Thanks,
Mahalaxmi 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2021 11:46 PM

Can you pleas share code block of this?

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

 

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-27-2021 09:36 PM

Hello 

I doing this in Postman, passing data search value by substituting the src value as request param

| from datamodel:\"Authentication\".\"Authentication\" | search src="NAOBDSADDC01"

for single value of src.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...