Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hyperlink a incident value to an external URL

jerinvarghese
Communicator
‎03-31-2020 07:51 AM

I have below output from the splunk querry.

    Hostname    INC Number  Urgency Time_CST    Description
1   CMPS3   INC000013   3-Medium    03/31/20 09:22:31
2   USBTNBTRF   INC000014   3-Medium    03/31/20 08:31:44
3   GQPCW   INC000015   2-High  03/31/20 08:28:43

I have the incident number in the table,
How i give a hyper link to those Incident number to my Icident management URL specific to the incident.

Code that I use: 

index=itsm sourcetype=remedy_midtier *Incident_Number* *Host:* NOT *-VO* NOT *WSG* NOT *IPA* NOT *ADS* NOT *-SEC* NOT "*WLNSGW*" AND ("*-LAN*" OR "*-WAN*" OR "*-APN*") AND "Node is down"
| search $timetestD$ | rex field=_raw "Incident_Number\W(?<ITSM_Number>.*)\W\WIncident_Number\W.*" 
| rex field=_raw "(Host:\s)(?<Hostname>[^\.<]+\.)" | eval Hostname = upper(Hostname)
| rex field=_raw "(Urgency:\s)(?<Urgency>\S-\D*[{lmwh}$])"
| rex field=_raw "(AlertID:\s)(?<AlertID>[^\D*]+)"
| rex field=_raw "(Open\s:\s)(?<Description>[^\.*]+)"
| top  limit=10000 Hostname, ITSM_Number, _time , Urgency, AlertID, Description |eval Hostname=replace(Hostname,"[.]","")
| dedup ITSM_Number | rename Hostname as nodelabel
 | eval Time_CST=_time
   | sort -Time_CST
    | fieldformat Time_CST=strftime(Time_CST,"%x %X")
| rename nodelabel as Hostname, ITSM_Number as "INC Number", AlertID as "Alert ID"
| table Hostname, "INC Number",Urgency, Time_CST, Description | eval Description=substr(Description,1,150) 
|sort -Time_CST
0 Karma
Reply

DalJeanis
Legend
‎04-15-2020 01:52 PM

Here's the way to figure that out.

1) Take your incident number (INC000013) from the output, and go to your incident management system. Enter that incident number.

2) Next, take the URL from the browser and copy the whole URL to a text editor. Let's say it looks like this:

 http://my.whole.url.com/somesystem/somefolder?&GRC=INC000013&fubar=no&something="xxx";

3) Take that entire url, and put it into some test SPL, then add any escape characters needed. Make sure it comes out the same when you run it as the original you copied. 

| makeresults 
| eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=INC000013&fubar=no&something=\"xxx\""

4) Now do the same thing, but put the incident number in a different field and concatenate them to build the URL. Use the same name for that incident field as you are using in your other program. 

 | makeresults 
 | eval incident="INC00013"
 | eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=".incident."&fubar=no&something=\"xxx\""

5) When that last line is making the exact URL you want, take the last line and put it into your other SPL, and you have what you want.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-04-2020 03:48 PM

see
https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownLinkToURL#Configure_the_drilldown_i...

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...