Splunk Search

After clicking on any row in a table of results produced using iplocation, why does it drill down to a search that returns 0 results?

sergiyyarinovsk
Explorer

Hi there

I have Splunk 6.4.0. I have a table with count of countries based on IP addresses. Search string:

index = my_index
| iplocation ipaddr
| stats count by Country
| sort count desc

Result looks like this:

Country        count
United States   180
China            26
Germany        24
Japan            17
...

Which is great. But when I click any row, I am redirected to the search:

index = my_index
| search Country="United States"
| iplocation ipaddr

It shows 0 results. If I move the search line after the iplocation line, then the search shows the correct count (because the Country field was created by the iplocation command). How can I fix this default behavior without manually changing thesearch string?

Thanks

0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

View solution in original post

arobbins_splunk
Splunk Employee
Splunk Employee

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

sergiyyarinovsk
Explorer

Actually yeah. Good point 🙂 But I have already done that with dynamic drilldown. Thanks anyway. I will provide my example for another users:

<panel>
  <table>
    <title>Logins by country</title>
    <searchString>
      index = my_index
      | iplocation ipaddr
      | stats count by Country
      | sort count desc
    </searchString>
    ...
    <drilldown>
      <link>
        <![CDATA[
            /app/my_splunk_app/search?q=search%20index%20%3D%20my_index ... %20%7C%20search%20Country%20%3D%20"$row.Country$" ...
        ]]>
      </link>
  </drilldown>
  ... 
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...