Splunk Search

Advanced XML Click down search approach for fields using lookup table

jerrad
Path Finder

I have spent some time reading through the UI examples App and have attempted to duplicate a basic drill down action from a chart with a few challenges. The main issue I have is that I have a chart using a field that is built from a lookup table, however the description is not actually present in the raw event so trying to search events with CLEAR_CODE_DESC="abcd1234" returns no results. I can search the original CLEAR_CODE value in the raw event, but I don't want to build my chart based off of this field as it's meaningless.

I have done some reading and I can understand why it fails, however I need to find an approach to allow me to click this description and have it move down to a ConvertToIntention module which builds a subsequent timechart based off of the bar that was clicked in the chart.

Is there a way I can build the original chart with the CLEAR_CODE_DESC field, however when the bar is clicked convert the description back to the original CLEAR_CODE value and then pass that down to the child module?

Thanks
Jerrad

Tags (2)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

If you configure an automatic lookup, drilldowns and reverse lookups will work fine.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

If you configure an automatic lookup, drilldowns and reverse lookups will work fine.

gkanapathy
Splunk Employee
Splunk Employee

Yes, pretty much that's what's happening, but yours is one level deeper because the match isn't on the output value of the lookup, but rather the input. So, yes, if you keep the H in ABC123H, then it would work.

0 Karma

jerrad
Path Finder

Ironically this exact type of issue was just mentioned on splunk blogs a few days ago. Essentially my field is not a token when it only includes a substring of the full string, either I extract the full string/token or take the fields.conf approach which I have read is not the best approach if you can avoid it.

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

0 Karma

jerrad
Path Finder

You clarification that this should work has me thinking now though as to what might be my issue with reverse lookups failing

If my raw event is as follows

start of event
blah blah blah
CODE              ABC123H
blah blah
end of event

If I make an extracted field called CODE such as "CODE\s+(?P<CODE>\w{6})" which would have the value ABC123 (note that I am not capturing in the H in the extraction, simply because every event has it present so I just chose to ignore it), if I use this extracted field to drive a lookup table that generates a new output field called CODE_DESC and it attempts to reverse lookup CODE_DESC=blah back to ABC123 the search would fail because the full segment is ABC123H not ABC123. I suspect if I have my extracted field include the full segment this will work.

I can test this out tomorrow at work, but I think this is probably what is happening. Does this sound right?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...