Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replace URL string with a hyperlink in splunk
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-24-2020
10:34 AM
Hi Everyone,
I have a search query as below:
index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|stats count by Date Name_Id Type Request_URLI am getting the data for Date Name_Id Type Request_URL
There are multiple Request_URL's .Some of the samples are
https://xyz/api/flow/process-groups/0a4ffa54-c204-3e9e-a16d-83a4845f83a7
https://uio/api/flow/process-groups/1b6877ea-0174-1000-0000-00003d8351cd
I want one more column (Any name) in my search query.Which will Replace Request_URL string like this.
This new column should be hyperlink.
https://abc.com/api/?processGroupId=0a4ffa54-c204-3e9e-a16d-83a4845f83a7
https://abc.com/api/?processGroupId=1b6877ea-0174-1000-0000-00003d8351cd
I want to display both Request_URL and this new column in my search data
Its like whenever Request_URL https://xyz/api/flow/process-groups/0a4ffa54-c204-3e9e-a16d-83a4845f83a7 will come . The new column which will be hyperlink should be this https://abc.com/api/?processGroupId=0a4ffa54-c204-3e9e-a16d-83a4845f83a7.
I want both to get displayed.
Can someone guide me on that.
Thanks in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-24-2020
11:28 PM
@aditsss , there was a typo in the condition field name, I have updated my response(in bold) can you try now?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-24-2020
10:59 AM
Hi @aditsss , can you try this
index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|stats count by Date Name_Id Type Request_URL
|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"
| eval hyperlink="https://abc.com/api/?processGroupId="+param
| fields - param
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-24-2020
11:30 AM
Hi,
I made the changes in my search query as below:
index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date
|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"
| eval hyperlink="https://abc.com/api/?processGroupId="+param
|stats count by Date Name_Id Type Request_URL param hyperlink
I am able to get new column but Its not clickable. When I right click on it hyperlink is not opening.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-24-2020
11:32 AM
hello @aditsss , are you trying to use this data in a dashboard or email alert?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-24-2020
11:41 AM
Hi Nisha18789,
As of now I am using in my search Query.
On search window I have open this query. I want that when I click on new column It should open hyperlink in new tab.
I am able to get hyperlink the way you told .But its not clickable.
Can u guide me on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-24-2020
12:31 PM
Hi ,
I have but the data in dashboard. Can you guide me how to make it hyperlink now.
<dashboard>
<label> Panel 2</label>
<row>
<panel>
<table>
<search>
<query>
index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"| eval hyperlink="https://abc.com/api/?processGroupId="+param|stats count by Date Name_Id Type Request_URL param hyperlink
</query>
<earliest>-1d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">no</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-24-2020
03:03 PM
hi @aditsss , this should help
<dashboard>
<label>Panel 2</label>
<row>
<panel>
<table>
<search>
<query>index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"| eval hyperlink="https://abc.com/api/?processGroupId="+param|stats count by Date Name_Id Type Request_URL param hyperlink</query>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["Name_Id","Type","Request_URL","hyperlink","count"]</fields>
<drilldown>
<condition field="hyperlink">
<link target="_blank">https://abc.com/api/?processGroupId=$row.param$</link>
</condition>
</drilldown>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-24-2020
08:30 PM
Hi, Seems like condition field is not working for me.
I have tried something like this but taking each and every column to that hyperlink.
I want only new column should take me to that server . Not every column.
<dashboard>
<label>Panel 2</label>
<row>
<panel>
<table>
<search>
<query>index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"| eval hyperlink="https://abc.com/api/?processGroupId="+param|stats count by Date Name_Id Type Request_URL param hyperlink</query>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["Name_Id","Type","Request_URL","hyperlink","count"]</fields>
<drilldown>
<link target="_blank">https://abc.com/api/?processGroupId=$row.param$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
<label>Panel 2</label>
<row>
<panel>
<table>
<search>
<query>index=xyz sourcetype=uio source="user.log" process (Type ="*") (Name_Id ="*") (Request_URL ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date|rex field=Request_URL "\/(?<param>.[0-aA-Z0-9-][^\/]+)"| eval hyperlink="https://abc.com/api/?processGroupId="+param|stats count by Date Name_Id Type Request_URL param hyperlink</query>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["Name_Id","Type","Request_URL","hyperlink","count"]</fields>
<drilldown>
<link target="_blank">https://abc.com/api/?processGroupId=$row.param$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-24-2020
11:28 PM
@aditsss , there was a typo in the condition field name, I have updated my response(in bold) can you try now?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aditsss
Motivator
08-25-2020
11:36 AM
Thank you Nisha18789 . It works.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
