Splunk Search

How to click on table cell to go to a URL referenced in event field (not in row data)?

c_yeo
New Member

I can't seem to figure out how to configure my XML so that when I click on a table cell, I go to a URL referenced in the cell's event's url_id field. The url_id field is in the same event as which I grab the table cell's value, but it is not actually in the table. Then, after setting the token as url_token, I set a link in drilldown with <link>https://specificurl.com/$url_token$</link>. However, when I test it out in my dashboard, clicking on a table cell brings me to https://specificurl.com/%24result.url_id%24 instead.

Any suggestions for what to do to fix this? Thank you.

<panel>
  <table>
    <search>
      <query> [search query here] </query>
      <earliest>@w0</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
      <finalized>
        <set token="url_token">$result.url_id$</set>
      </finalized>
    </search>
    <option name="count">50</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <link>https://specificurl.com/$url_token$</link>
    </drilldown>
  </table>
</panel>
0 Karma

niketn
Legend

@c_yeo you are trying to merge two different features together i.e. Search Event Handler and Drilldown.

Using $result.<yourFieldName>$ in <progress> or <done> Search Event Handler you get only one or first value of your field. Which is not what you want. Moreover the <finalized> search event handler was deprecated from Splunk 6.5 onward so it would not work with latest version anyways. This is the reason why you are getting %24 in your drilldown URL is because is it the URL encoded character for $ which implies your token from search event handler is not getting resolved.

What you need to do is to use built-in drilldown token called $row.<yourFieldName>$ to access the field value from the row in the table which is clicked.

Please try out following drilldown code

   <drilldown>
       <link target="_blank">https://specificurl.com/$row.url_id$</link>
   </drilldown>

Following is a run anywhere example for you to try and confirm:

<dashboard>
  <label>Link to URL using token from table</label>
  <row>
   <panel>
     <table>
       <search>
         <query>| makeresults
         | eval urlid="splunk,splunkbase,splunk answers"
         | makemv urlid delim=","
         | mvexpand urlid</query>
         <earliest>@w0</earliest>
         <latest>now</latest>
         <sampleRatio>1</sampleRatio>
       </search>
       <option name="count">50</option>
       <option name="dataOverlayMode">none</option>
       <option name="drilldown">cell</option>
       <option name="percentagesRow">false</option>
       <option name="refresh.display">progressbar</option>
       <option name="rowNumbers">false</option>
       <option name="totalsRow">false</option>
       <option name="wrap">true</option>
       <drilldown>
           <link target="_blank">https://www.google.com/search?&amp;q=$row.urlid$</link>
       </drilldown>
     </table>
   </panel>
  </row>
</dashboard>

PS: Also check out Splunk Dashboard Examples app to check out several drilldown examples including link to URL.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

c_yeo
New Member

@niketnilay thank you -- I've tried out your suggestion using $row.urlid$ in the drilldown. However, now when I click on the cell, I am bounced to the link https://specificurl.com/$row.urlid$. I think it's important for me to note that I do not reference the field urlid in my search query at all, I am handling other fields. Do you have any further suggestions for the tokenization to succeed?

0 Karma

vnravikumar
Champion

Hi

Check this, here url will not display in the table but onclick of Host it is used in the drilldown.

<dashboard>
  <label>drilldown_url</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval url="http://www.google.com",Host="Google" 
| append 
    [| makeresults 
    | eval url="http://www.yahoo.com",Host="Yahoo"] 
| append 
    [| makeresults 
    | eval url="http://www.facebook.com",Host="Facebook"]|table url,_time,Host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
       <fields>_time,Host</fields>
        <drilldown>
         <eval token="url">replace($row.url$, "http://", ""</eval>
           <link target="_blank">
             <![CDATA[ http://$url$ ]]>
           </link>
           </drilldown>
      </table>
    </panel>
  </row>
</dashboard>
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...