Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

<driildown_search> search query for <drilldown_name>="View all login attempts by system $src$"

Mahalaxmi
Loves-to-Learn
‎07-25-2021 10:30 PM

Hello ,

I need to frame the search query for <drilldown_search> for the following type :

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

Currently in my results have value for src, how Do I escape this '|s' in the query string.

 

Thanks,

Mahalaxmi 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-25-2021 11:01 PM

@Mahalaxmi 

Can you please share more details like, sample code block, use case , etc ??

KV

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-26-2021 11:30 PM

Hello @kamlesh_vaghela 
Use Case:
The current requirement is to fetch the base events from Contributing events for a Notable event using Splunk Search Rest API. Reference https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

As part of the Post Search action, we have rule_id & timestamp. in response <sid>(Search ID) is returned . With help of this <sid>  <drilldown> parameteres. like <drilldown_name>,<drilldown_latest>,<drilldown_earliest>,<drilldown_search> & <src> fields  we need to make search query.

My question is based on these drilldown parameters how do I make the search query for fetching the base events using  <drilldown_search>?
"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"


This is API URL for post action:
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs

https://<host>:<mPort>/services/search/jobs

 Where and all fields do I need to replace the  '$src$' value and frame the query?

 

Thanks,
Mahalaxmi 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2021 11:46 PM

Can you pleas share code block of this?

"drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$"

 

0 Karma
Reply

Mahalaxmi
Loves-to-Learn
‎07-27-2021 09:36 PM

Hello 

I doing this in Postman, passing data search value by substituting the src value as request param

| from datamodel:\"Authentication\".\"Authentication\" | search src="NAOBDSADDC01"

for single value of src.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...