Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass a field value to a "Link to search" SPL query from a Dashboard table?

tdavison76
Path Finder
‎12-02-2024 06:50 AM

Hello,

I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out.

I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.  

I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query:

source="udp:514" host="$host$.doman.com"

but, of course failed, it just get's replaced with "*".

I'm sure I'm probably way off on how to do this, but any help would be awesome. 🙂 

Thanks in advance.

Tom

Labels (1)
Labels
0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:16 AM

Hey guys,

Thanks for the quick help, still stuck for some reason.  So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason.  Here's the config:

tdavison76_0-1733155819842.png

Here's the resulting search:

tdavison76_1-1733155959129.png

Here's the table query:

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| eval c_time=strftime(Time,"%m/%d/%Y %H:%M:%S")
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| rename _time as "Date"
| eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S")
| table Date, host, ServiceGroup, Name, Status, LastStatus

 

And, here's a screenshot of the table if helpful. 🙂 

tdavison76_2-1733156117157.png

 

Thanks again for the help on this one, very much appreciated.

Tom

 

 

 

 

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 08:26 AM

Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, then log out of splunk, close browser and clear cache/cookies, log into splunk, and reload dashboards.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:45 AM

Thanks,  I tried the steps, but same thing occurred.  I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works.  Looks like either an issue with Studio, of maybe it's just done differently.  🙂

Thanks again,

Tom

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 10:56 AM

I had assumed you were doing Classic XML to start, Dashboard Studio is slightly different I can try testing later.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 11:55 AM

Sorry about that, I didn't think it would matter.  Looks like it does.  I've created a Support ticket for this as well.  Hopefully, they'll get back to me.  If they do, I'll let you know the solution with Studio. 🙂

Thanks again,

Tom

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 12:23 PM

In Dashboard Studio it's $row.<<fieldname>>.value$.

$row.host.value$
---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Motivator
‎12-02-2024 07:45 AM

dural_yyz_0-1733154299777.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 08:16 AM

This is a better answer than mine.  $results$ will only pick up the first result rather than the row clicked.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 07:32 AM

Use $results.host$

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...