Splunk Search

Perform another search from the search result

wiggler
Explorer

Hi Splunk Gurus,

I am not sure what is the term to use about my question, so I will explain it so everyone will understand.

Let say I have a dashboard and the query for my dashboard is something like this:

| dbxquery connection=DATAFILES query="select a.project.dir, a.project.location, a.project.owner, b.fileinfo.filename from project a, fileinfo b WHERE b.fileinfo.id = a.project.id

What I want to achieve is that, if user click one of the owner, it will do another search for all the files owned by the user and will display in the dashboard.

Thanks.

Tags (1)
0 Karma

niketn
Legend

@wiggler, Based on your description, you want to perform Table Drilldown on a.project.owner field.
Following is a run anywhere example which created two a.project.owner values.

Table drilldown has following notable behavior:
1) Owner value is passed on to the second search only if a row in the a.project.owner field is selected. This is optional. As far as specific row with Owner Name you are interested in is clicked you can access the Owner value displayed in the table as explained in the next point.

   <condition field="a.project.owner">

2) a.project.owner value is access based on selected row using predefined table drilldown token $row.<fieldName>$

  <set token="tok_owner">$row.a.project.owner$</set>

3) Token to be used in second search is unset if any field other than a.project.owner is clicked. This is to hide the second panel and stop the search. This is also optional.

       <condition>
         <unset token="tok_owner"></unset>
       </condition>

Depending on your Splunk version I think 6.5 and 6.6 drilldown options are available directly from the UI edit option. However, it is better if you familiarize yourself with Simple XML drilldown coding as well.

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval a.project.owner="Test Owner1"
| append [| makeresults
| eval a.project.owner="Test Owner2"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="a.project.owner">
            <set token="tok_owner">$row.a.project.owner$</set>
          </condition>
          <condition>
            <unset token="tok_owner"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_owner$">
      <table>
        <title>$tok_owner$</title>
        <search>
          <query>| makeresults
| eval a.project.owner="Selected Owner - "."$tok_owner$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row> 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wiggler
Explorer

@niketnilay, I will try your solution and let you know with the results. thank you very much

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...