Splunk Enterprise Security

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?


Assuming I defined a correlation search in Splunk Enterprise Security as the following:

    index="_internal" sourcetype="splunkd" log_level="INFO" | stats count by name message | rename name AS "alert name"

How can I pass the token "alert name" to the drilldown search?


0 Karma

Splunk Employee
Splunk Employee

I have been looking over some previous questions like this and I am running into the same issues you have encountered. I am trying to understand where you are trying to get at the end of the day though.

I realize your example search is very generic, but why are you looking to rename that value to a multi word value? Is that associated with how you want it to be shown on the Incident Response page? If so, could that be solved in a different manner in the ES Config - Incident Review Settings - Incident Review Field Attributes?

That way the drill down could stay as search index=Internal $name$ as you have in the example, but the display would show Alert Name when you expand the notable event.

That may not be where you are going with this but figured I would throw that out.

Hope this helps...

0 Karma

Revered Legend

Assuming you want to drilldown when you click on any rows of your search results, you can try as suggested in below sample/runanywhere dashboard.

        <title>Fired Alerts - token=$alertname$</title>
          <query>index=_internal sourcetype=scheduler status=success alert_actions=summary_index | stats count by savedsearch_name | rename savedsearch_name as "Alert Name"</query>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
          <set token="alertname">$row.Alert Name$</set>
0 Karma


Hi somesoni2, thank you for your information. However, this is related to the correlation search from Splunk Enterprise Security (app), and it is not related to dashboard creation. Please see "Drill-down search" (field) from the image below:

alt text

Revered Legend

It says "Supports variable substitution with fields from the matching event", so have you tried using search $alert name$?? Or search %alert name% ?

0 Karma


It doesn't work in either format.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...