Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After clicking on any row in a table of results produced using iplocation, why does it drill down to a search that returns 0 results?

sergiyyarinovsk
Explorer
‎04-05-2016 09:04 AM

Hi there

I have Splunk 6.4.0. I have a table with count of countries based on IP addresses. Search string:

index = my_index
| iplocation ipaddr
| stats count by Country
| sort count desc

Result looks like this:

Country        count
United States   180
China            26
Germany        24
Japan            17
...

Which is great. But when I click any row, I am redirected to the search:

index = my_index
| search Country="United States"
| iplocation ipaddr

It shows 0 results. If I move the search line after the iplocation line, then the search shows the correct count (because the Country field was created by the iplocation command). How can I fix this default behavior without manually changing thesearch string?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

View solution in original post

Reply
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:10 AM

I think you've stumbled across a bug with the drilldown system.

As for changing the default, there is no way to change the way that drilldown works on the search page.

The only work-around I can think of is: make a dashboard with that search. You can then use "dynamic drilldown" which you can specify in the XML to craft the exact search that you want to run given a particular value for Country.

Reply
Solved! Jump to solution

sergiyyarinovsk
Explorer
‎04-06-2016 02:28 AM

Actually yeah. Good point 🙂 But I have already done that with dynamic drilldown. Thanks anyway. I will provide my example for another users:

<panel>
  <table>
    <title>Logins by country</title>
    <searchString>
      index = my_index
      | iplocation ipaddr
      | stats count by Country
      | sort count desc
    </searchString>
    ...
    <drilldown>
      <link>
        <![CDATA[
            /app/my_splunk_app/search?q=search%20index%20%3D%20my_index ... %20%7C%20search%20Country%20%3D%20"$row.Country$" ...
        ]]>
      </link>
  </drilldown>
  ...
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...