Splunk Search

Can I set a specific link for a given field in a search table

Andrew_Banman
Explorer

Hi there folks,

I am building a custom alerts dashboard based on a search that returns a table (see demo screen below). I have it doing a lookup and adding a few custom fields I need based on the specific types of alerts found. Now I want to add a link to the dashboard so the user can go directly to the correct dashboard based on the specific alert. Unfortunately, the link I added based on a lookup doesn't actually work. This link is just a standard table drilldown.

Any ideas on how I can make my field use the link I give it? Can I specifiy this link in some part of the search so that when the table renders this field will use my link rather than a standard drilldown.

Here is the search in case it matters:

index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as local_dashboard_url | table trigger_time, ss_name, severity, local_support_team, local_dashboard_url

And here is a picture of the search thus far to give you context. As you can see I have an URL in the last field that I want to use. But my URL doesn't get used, it's just the standard drilldown URL used by default in Splunk tables.

alt text

Thanks for any thoughts you have 🙂

Tags (2)
0 Karma

Andrew_Banman
Explorer

Nice, thanks. It's working now. I appreciate the help 🙂

0 Karma

Flynt
Splunk Employee
Splunk Employee

Just a note on this -

Make sure your application.js points to the correct views -

case "my_view": case "my_other_view":

---> These should match your view names exactly(make sure you don't use the .xml extension)

Let us know how it turned out!

0 Karma

Andrew_Banman
Explorer

OK, as often with Splunk documentation things look pretty easy but I don't get the desired results immediately. I guess I am missing something. Perhaps you can spot my error.

Per the docs ....

1) I've added the 2 critical bits to my Advanced XML. Ensuring that drilldown is set to row and that the module "NullModule" is added.

2) I went back to my search and ensured that the link field was first in the table and that it was properly labeled as "link".

Unfortunelately it still doesn't do what I want it too. When I click it just launches the result set as usual.

Here is a snippet of the AdvancedXML for this panel in case you can spot my error:

Advanced XML Snippet

Here is the tweaked search to make sure "link" is used first:

index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as link | table link, trigger_time, ss_name, severity, local_support_team | rename trigger_time AS TIME, ss_name AS SEARCH_NAME, severity AS SEVERITY, local_support_team AS SUPPORT_TEAM

And here is a screenshot of the output that unfortunately doesn't launch my custom link yet:

Screenshot

0 Karma

Andrew_Banman
Explorer

Thanks for this tip, I will start working through the doc you refenced. I hope this will get me there 🙂

0 Karma

jonuwz
Influencer

Walkthrough here

If you don't want the link in the 1st column, you'll need to change the drilldown for SimpleResultsTable to 'all'.

You may also need to override the drilldown for the other fields too.

Probably easier all round to keep the link in the 1st column..

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...