Splunk Search

How to Redirect hyperlink of one column to another column

aditsss
Motivator

Hi Everyone,

I have a requirement like this.

This is my search query.

index=xyz sourcetype=yui source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date| rex field=Request_URL "(?<id>[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"|fillnull value="" id| eval ClickHere= "https://cvb/api/?processGroupId=".id|stats count by Date Name_Id Type Request_URL id ClickHere

So I am getting data for Date Name_Id Type Request_URL id ClickHere. Where ClickHere column is a hyperlink.

My Dashboard script:

<dashboard theme="dark">
<label>Process</label>
<row>
<panel>
<table>
<search>
<query>index=xyz sourcetype=yui source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date| rex field=Request_URL "(?<id>[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"|fillnull value="" id| eval ClickHere= "https://cvb/api/?processGroupId=".id|stats count by Date Name_Id Type Request_URL id ClickHere</query>


<earliest>-1d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="ClickHere">
<link target="_blank">$row.ClickHere|n$</link>
</condition>
</drilldown>
</table>
</panel>
</row>
</dashboard>

Sample of Request_URL's(Multiple URL' are there)

https://cgy/api/flow/groups/ef451556-016d-1000-0000-00005025535d

https://jkl/api/groups/1b6877ea-0174-1000-0000-00003d8351cd/variable-registry


Sample of ClickHere column Hyperlink

https://abc/api/?processGroupId=ef451556-016d-1000-0000-00005025535d

https://abc/api/?processGroupId=1b6877ea-0174-1000-0000-00003d8351cd

I want when I click on Request_URL https://cgy/api/flow/groups/ef451556-016d-1000-0000-00005025535d It should open this ClickHere column hyperlink(https://abc/api/?processGroupId=ef451556-016d-1000-0000-00005025535d.

When I click on Request_URL https://jkl/api/groups/1b6877ea-0174-1000-0000-00003d8351cd/variable-registry  It should open this ClickHere column hyperlink https://abc/api/?processGroupId=1b6877ea-0174-1000-0000-00003d8351cd.

 

In short I want to remove ClickHere column and when I click on Request_URL it should take me to the link that Clickhere column was taken to.

Can someone guide me how to do this in splunk.

Thanks in advance.

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

There are at least 2 ways to do this

See this dashboard

<dashboard>
  <label>Click</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval Request_URL=split("https://cgy/api/flow/groups/ef451556-016d-1000-0000-00005025535d,https://jkl/api/groups/1b6877ea-0174-1000-0000-00003d8351cd/variable-registry",",")
| mvexpand Request_URL
| rex field=Request_URL "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| fillnull value="" id
| eval ClickHere= "https://cvb/api/?processGroupId=".id
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <fields>"Request_URL", "id"</fields>
        <drilldown>
          <condition field="Request_URL">
            <link target="_blank">$row.ClickHere|n$</link>
          </condition>
          <condition field="id">
            <link target="_blank">https://cvb/api/?processGroupId_URL=$row.id$</link>
          </condition>
        </drilldown>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

It uses the <fields> XML element to restrict the fields that are displayed in the table even though the query calculates those fields. Those hidden fields are then available to the drilldown and part of the $row$ elements.

You can either pre-calculate the URL as you have done, or just use the fixed string + id in the drilldown. See the two examples above.

Hope this helps.

 

View solution in original post

aditsss
Motivator

Thank you so much .It works

0 Karma

bowesmana
SplunkTrust
SplunkTrust

There are at least 2 ways to do this

See this dashboard

<dashboard>
  <label>Click</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval Request_URL=split("https://cgy/api/flow/groups/ef451556-016d-1000-0000-00005025535d,https://jkl/api/groups/1b6877ea-0174-1000-0000-00003d8351cd/variable-registry",",")
| mvexpand Request_URL
| rex field=Request_URL "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| fillnull value="" id
| eval ClickHere= "https://cvb/api/?processGroupId=".id
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <fields>"Request_URL", "id"</fields>
        <drilldown>
          <condition field="Request_URL">
            <link target="_blank">$row.ClickHere|n$</link>
          </condition>
          <condition field="id">
            <link target="_blank">https://cvb/api/?processGroupId_URL=$row.id$</link>
          </condition>
        </drilldown>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

It uses the <fields> XML element to restrict the fields that are displayed in the table even though the query calculates those fields. Those hidden fields are then available to the drilldown and part of the $row$ elements.

You can either pre-calculate the URL as you have done, or just use the fixed string + id in the drilldown. See the two examples above.

Hope this helps.

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...