Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After clicking on any row in a table of results produced using iplocation, why does it drill down to a search that returns 0 results?

sergiyyarinovsk
Explorer
‎04-05-2016 09:04 AM

Hi there

I have Splunk 6.4.0. I have a table with count of countries based on IP addresses. Search string:

index = my_index
| iplocation ipaddr
| stats count by Country
| sort count desc

Result looks like this:

Country        count
United States   180
China            26
Germany        24
Japan            17
...

Which is great. But when I click any row, I am redirected to the search:

index = my_index
| search Country="United States"
| iplocation ipaddr

It shows 0 results. If I move the search line after the iplocation line, then the search shows the correct count (because the Country field was created by the iplocation command). How can I fix this default behavior without manually changing thesearch string?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

View solution in original post

Reply
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

Reply
Solved! Jump to solution

sergiyyarinovsk
Explorer
‎04-06-2016 02:28 AM

Actually yeah. Good point 🙂 But I have already done that with dynamic drilldown. Thanks anyway. I will provide my example for another users:

<panel>
  <table>
    <title>Logins by country</title>
    <searchString>
      index = my_index
      | iplocation ipaddr
      | stats count by Country
      | sort count desc
    </searchString>
    ...
    <drilldown>
      <link>
        <![CDATA[
            /app/my_splunk_app/search?q=search%20index%20%3D%20my_index ... %20%7C%20search%20Country%20%3D%20"$row.Country$" ...
        ]]>
      </link>
  </drilldown>
  ...
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...