How do I modify ID results in a table to display a...

replicamask · ‎10-04-2018

Hey there,

I've been having a look around on here, and through Google, but so far coming I'm up blank.

I'm looking for a way to basically change how an ID is displayed in a table.

Say I run a search like this:

sourcetype=testsource | table _time, , sourcetype, id

and I get a table back like

_time     sourcetype     id
12:00     testsource      123

So while the id value is indeed 123, I would like to have it — depending on the ID —display with a URL or filepath. For example:

_time     sourcetype     id
12:00     testsource     test.com/123

Is this possible without diving into drill down and dashboards (http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/DrilldownIntro), it's not going to be a regular requirement in a search so something I can throw in the query on the fly would be ideal.

TIA!

maciep · ‎10-07-2018

do you need it to be clickable? Or just url/filepath text?

 sourcetype=testsource | eval id = "test.com/" . id | table _time, sourcetype, id

replicamask · ‎10-09-2018

That is brilliant thank you very much! From everything I was looking up to have them clickable would involve the drill down and dashboards right? Or is there another method?
It's not a required functionality atm, but just curious since you mentioned it there 🙂

maciep · ‎10-09-2018

I think to make it clickable, you would have to put it in a dashboard and then use drilldown options or css etc. Not sure it can be done with just the normal table in search results.

How do I modify ID results in a table to display a URL or filepath?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All