Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is variable Substitution not working in drill down searches?

warsaw
Loves-to-Learn Lots
‎02-09-2021 07:58 AM

I have a correlation search where 'dest' field is present, and in drilldown search I have mentioned 

 

 

| search dest="$dest$"

 

 

however when i click on contributing events and the drill down search opens up with same query 

 

 

| search dest="$dest$"

 

 

 instead of the actual value of the 'dest' field, why doesn't this work?

Anyone faced this issue?

Tags (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-09-2021 01:30 PM

Have you assigned the clicked field dest to the token $dest$ in the drilldown section of the dashboard? Using the $dest$ in the subsequent search is using a TOKEN called dest, not a field called dest from a previous search.

<drilldown>
  <set token="dest">$row.dest$</set>
</drilldown>

 

0 Karma
Reply

warsaw
Loves-to-Learn Lots
‎02-09-2021 11:04 PM

@bowesmana no, actually this is not a dashboard drill down, it's drill down search in notable events of a correlation search.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2021 09:52 AM

Try something like:

| search dest="$row.dest|n$"
0 Karma
Reply

warsaw
Loves-to-Learn Lots
‎02-09-2021 11:18 PM

No, this is not working, when i click on drill down this search appears 

 

| search dest="$row.dest|n$"

 

not with the actual value. 

0 Karma
Reply

mdicenzo
Explorer
‎07-20-2022 07:24 AM

I am struggling with the same thing, have you resolved this issue?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2022 07:36 AM

What have you tried?

0 Karma
Reply

mdicenzo
Explorer
‎07-20-2022 08:06 AM

So originally I tried to have this as the correlation search 

 

index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email
| stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name | eval dd="index=o365 sourcetype=mscs:azure:eventhub body.operationName=\"User Risk Detection\" body.properties.riskLevel=high \"body.properties.userDisplayName\"=".Display_Name

 

The drill down was then search $dd$. The problem is that the value in Display_Name needs quote for the search to work and I cannot seem to get that to work properly for .Display_Name.


If I have a correlation search of 

index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email
| stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name 

 

And a drill down of 

index=o365 sourcetype=mscs:azure:eventhub body.operationName="User Risk Detection" body.properties.riskLevel=high "body.properties.userDisplayName"=$Display_Name$

 

will that work?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...