Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After clicking on any row in a table of results produced using iplocation, why does it drill down to a search that returns 0 results?

sergiyyarinovsk
Explorer
‎04-05-2016 09:04 AM

Hi there

I have Splunk 6.4.0. I have a table with count of countries based on IP addresses. Search string:

index = my_index
| iplocation ipaddr
| stats count by Country
| sort count desc

Result looks like this:

Country        count
United States   180
China            26
Germany        24
Japan            17
...

Which is great. But when I click any row, I am redirected to the search:

index = my_index
| search Country="United States"
| iplocation ipaddr

It shows 0 results. If I move the search line after the iplocation line, then the search shows the correct count (because the Country field was created by the iplocation command). How can I fix this default behavior without manually changing thesearch string?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

View solution in original post

Reply
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

Reply
Solved! Jump to solution

sergiyyarinovsk
Explorer
‎04-06-2016 02:28 AM

Actually yeah. Good point 🙂 But I have already done that with dynamic drilldown. Thanks anyway. I will provide my example for another users:

<panel>
  <table>
    <title>Logins by country</title>
    <searchString>
      index = my_index
      | iplocation ipaddr
      | stats count by Country
      | sort count desc
    </searchString>
    ...
    <drilldown>
      <link>
        <![CDATA[
            /app/my_splunk_app/search?q=search%20index%20%3D%20my_index ... %20%7C%20search%20Country%20%3D%20"$row.Country$" ...
        ]]>
      </link>
  </drilldown>
  ...
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...