Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass a field value to a "Link to search" SPL query from a Dashboard table?

tdavison76
Path Finder
‎12-02-2024 06:50 AM

Hello,

I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out.

I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.  

I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query:

source="udp:514" host="$host$.doman.com"

but, of course failed, it just get's replaced with "*".

I'm sure I'm probably way off on how to do this, but any help would be awesome. 🙂 

Thanks in advance.

Tom

Labels (1)
Labels
0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:16 AM

Hey guys,

Thanks for the quick help, still stuck for some reason.  So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason.  Here's the config:

tdavison76_0-1733155819842.png

Here's the resulting search:

tdavison76_1-1733155959129.png

Here's the table query:

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| eval c_time=strftime(Time,"%m/%d/%Y %H:%M:%S")
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| rename _time as "Date"
| eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S")
| table Date, host, ServiceGroup, Name, Status, LastStatus

 

And, here's a screenshot of the table if helpful. 🙂 

tdavison76_2-1733156117157.png

 

Thanks again for the help on this one, very much appreciated.

Tom

 

 

 

 

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 08:26 AM

Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, then log out of splunk, close browser and clear cache/cookies, log into splunk, and reload dashboards.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:45 AM

Thanks,  I tried the steps, but same thing occurred.  I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works.  Looks like either an issue with Studio, of maybe it's just done differently.  🙂

Thanks again,

Tom

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 10:56 AM

I had assumed you were doing Classic XML to start, Dashboard Studio is slightly different I can try testing later.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 11:55 AM

Sorry about that, I didn't think it would matter.  Looks like it does.  I've created a Support ticket for this as well.  Hopefully, they'll get back to me.  If they do, I'll let you know the solution with Studio. 🙂

Thanks again,

Tom

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 12:23 PM

In Dashboard Studio it's $row.<<fieldname>>.value$.

$row.host.value$
---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Motivator
‎12-02-2024 07:45 AM

dural_yyz_0-1733154299777.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 08:16 AM

This is a better answer than mine.  $results$ will only pick up the first result rather than the row clicked.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 07:32 AM

Use $results.host$

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...