Splunk Search

Easier navigation: How do you *un* drill down in Splunk-web?

Engager

Drill down is one of the best features of Splunk, making it easy to use as a diagnostic tool when looking for unknown causes of issues. However, I'm often frustrated by not being able to undo a drill down. Especially if I fat-finger something and spoil a drill-down search I'd been carefully building up. Often I will hit a dead end and want to return to a wider search that had been looking at previously was "almost" what I wanted.

Browser go-back-one-page doesn't do this. I can't find any bread-crumb facility to return to one of a number of a previous searches. I can't find a way to un-zoom to a previous time range.

The pulldown under the search bar has "my search history" and "my command history". But it seems to only hold searches you manually typed in or edited. Not the drill-down stuff (like in the search results when you alt-click on unwanted hosts; or click on a user-id of interest).

What did I miss? Can this be a feature request: better breadcrumb support.

Tags (3)

Path Finder

Might not be what you're looking for, but have you considered targeting to a new window?

Docs describes it here: https://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/Dynamicdrilldownindashboardsandforms

0 Karma

SplunkTrust
SplunkTrust

if you download Sideview Utils and use the view at /app/sideview_utils/search, it's basically a version of flashtimeline with back button support. So in this view if you accidentally fat-finger a drilldown you can just use the back button to go back, forward button to go forward, etc..

If you like that and you want to use this view instead of the default search view, you have to change the sharing on it. Go to Manager > User Interface > Views, and edit the view's permissions so that it's visible from all apps.

UPDATE: And the view has an endless scroller built into it too so you don't have to click page links - scrolling down will automatically fetch more events. And I eliminated some elements and tweaked others so much more of the interface ends up filled with your actual events.

0 Karma

Engager

Another wish-list item would be left and right arrows beside the timeline that scoots you forward or backward another chunk of time. E.g. if I zoomed into a one hour wide bar, by double-clicking, it would be nice to scroll over to the next hour beside it. Right now, if I zoom out, it doesn't ever seem to pick up portions of the time range to the right, only to the left.

0 Karma

Path Finder

I have a search under the Searches and Reports menu, called "Search History". It runs the following search (without the quotes): "| history | fields + _time search".

I cut & paste the relevant search back into the command line (without the word "search"), replacing what is there.

Unfortunately, the green Splunk button [>] does not work properly (in v 4.2.3). It seems that you need to have your cursor in the command line and then hit Enter.

You also need to adjust the time range yourself. Perhaps after hitting Enter.

0 Karma

Builder

The 'Jobs' menu is your friend.

As long as your previous search was run in the last 15 min, you can click on the jobs menu and resurrect it. Make sure you re-run the search as restoring it doesn't reset the 15 minute timer.

If it is over the 15 minute time out though, you will have to search for it.

search index=_internal sourcetype="searches"

then cut and paste the search

Splunk Employee
Splunk Employee

Browser back button is NOT the answer. We can't control browser behavior 🙂

If you are performing ad hoc search in the search bar, try ctrl+z (or command+z on Mac) to undo what you typed.

If you are searching by clicking on terms or fields in the event viewer, simply click on them again to remove them from search.

If you are zooming in on the flash time line, just click on "Zoom out" on the top left of the time line to zoom back out.

If you want to view your search history and you have access to Splunk's internal logs (i.e. you are an admin(, open another tab to splunk and search:

index=_internal sourcetype=searches user=<your_username>

SplunkTrust
SplunkTrust

The answer, as far as I have been able to determine, is that you cannot un-drill down in splunk web. The workaround is to modify the search string, erasing what was put there by the initial drilldown. This isn't as nice as a back button, or some similar mechanism (hotkey?) to move backwards.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!