Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hyperlink a incident value to an external URL

jerinvarghese
Communicator
‎03-31-2020 07:51 AM

I have below output from the splunk querry.

    Hostname    INC Number  Urgency Time_CST    Description
1   CMPS3   INC000013   3-Medium    03/31/20 09:22:31
2   USBTNBTRF   INC000014   3-Medium    03/31/20 08:31:44
3   GQPCW   INC000015   2-High  03/31/20 08:28:43

I have the incident number in the table,
How i give a hyper link to those Incident number to my Icident management URL specific to the incident.

Code that I use: 

index=itsm sourcetype=remedy_midtier *Incident_Number* *Host:* NOT *-VO* NOT *WSG* NOT *IPA* NOT *ADS* NOT *-SEC* NOT "*WLNSGW*" AND ("*-LAN*" OR "*-WAN*" OR "*-APN*") AND "Node is down"
| search $timetestD$ | rex field=_raw "Incident_Number\W(?<ITSM_Number>.*)\W\WIncident_Number\W.*" 
| rex field=_raw "(Host:\s)(?<Hostname>[^\.<]+\.)" | eval Hostname = upper(Hostname)
| rex field=_raw "(Urgency:\s)(?<Urgency>\S-\D*[{lmwh}$])"
| rex field=_raw "(AlertID:\s)(?<AlertID>[^\D*]+)"
| rex field=_raw "(Open\s:\s)(?<Description>[^\.*]+)"
| top  limit=10000 Hostname, ITSM_Number, _time , Urgency, AlertID, Description |eval Hostname=replace(Hostname,"[.]","")
| dedup ITSM_Number | rename Hostname as nodelabel
 | eval Time_CST=_time
   | sort -Time_CST
    | fieldformat Time_CST=strftime(Time_CST,"%x %X")
| rename nodelabel as Hostname, ITSM_Number as "INC Number", AlertID as "Alert ID"
| table Hostname, "INC Number",Urgency, Time_CST, Description | eval Description=substr(Description,1,150) 
|sort -Time_CST
0 Karma
Reply

DalJeanis
Legend
‎04-15-2020 01:52 PM

Here's the way to figure that out.

1) Take your incident number (INC000013) from the output, and go to your incident management system. Enter that incident number.

2) Next, take the URL from the browser and copy the whole URL to a text editor. Let's say it looks like this:

 http://my.whole.url.com/somesystem/somefolder?&GRC=INC000013&fubar=no&something="xxx";

3) Take that entire url, and put it into some test SPL, then add any escape characters needed. Make sure it comes out the same when you run it as the original you copied. 

| makeresults 
| eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=INC000013&fubar=no&something=\"xxx\""

4) Now do the same thing, but put the incident number in a different field and concatenate them to build the URL. Use the same name for that incident field as you are using in your other program. 

 | makeresults 
 | eval incident="INC00013"
 | eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=".incident."&fubar=no&something=\"xxx\""

5) When that last line is making the exact URL you want, take the last line and put it into your other SPL, and you have what you want.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-04-2020 03:48 PM

see
https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownLinkToURL#Configure_the_drilldown_i...

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...