Hi there folks,
I am building a custom alerts dashboard based on a search that returns a table (see demo screen below). I have it doing a lookup and adding a few custom fields I need based on the specific types of alerts found. Now I want to add a link to the dashboard so the user can go directly to the correct dashboard based on the specific alert. Unfortunately, the link I added based on a lookup doesn't actually work. This link is just a standard table drilldown.
Any ideas on how I can make my field use the link I give it? Can I specifiy this link in some part of the search so that when the table renders this field will use my link rather than a standard drilldown.
Here is the search in case it matters:
index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as local_dashboard_url | table trigger_time, ss_name, severity, local_support_team, local_dashboard_url
And here is a picture of the search thus far to give you context. As you can see I have an URL in the last field that I want to use. But my URL doesn't get used, it's just the standard drilldown URL used by default in Splunk tables.
Thanks for any thoughts you have 🙂
Nice, thanks. It's working now. I appreciate the help 🙂
Just a note on this -
Make sure your application.js points to the correct views -
case "my_view": case "my_other_view":
---> These should match your view names exactly(make sure you don't use the .xml extension)
Let us know how it turned out!
OK, as often with Splunk documentation things look pretty easy but I don't get the desired results immediately. I guess I am missing something. Perhaps you can spot my error.
Per the docs ....
1) I've added the 2 critical bits to my Advanced XML. Ensuring that drilldown is set to row and that the module "NullModule" is added.
2) I went back to my search and ensured that the link field was first in the table and that it was properly labeled as "link".
Unfortunelately it still doesn't do what I want it too. When I click it just launches the result set as usual.
Here is a snippet of the AdvancedXML for this panel in case you can spot my error:
Here is the tweaked search to make sure "link" is used first:
index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as link | table link, trigger_time, ss_name, severity, local_support_team | rename trigger_time AS TIME, ss_name AS SEARCH_NAME, severity AS SEVERITY, local_support_team AS SUPPORT_TEAM
And here is a screenshot of the output that unfortunately doesn't launch my custom link yet:
Thanks for this tip, I will start working through the doc you refenced. I hope this will get me there 🙂
Walkthrough here
If you don't want the link in the 1st column, you'll need to change the drilldown for SimpleResultsTable to 'all'.
You may also need to override the drilldown for the other fields too.
Probably easier all round to keep the link in the 1st column..