Splunk Search

Perform another search from the search result

wiggler
Explorer

Hi Splunk Gurus,

I am not sure what is the term to use about my question, so I will explain it so everyone will understand.

Let say I have a dashboard and the query for my dashboard is something like this:

| dbxquery connection=DATAFILES query="select a.project.dir, a.project.location, a.project.owner, b.fileinfo.filename from project a, fileinfo b WHERE b.fileinfo.id = a.project.id

What I want to achieve is that, if user click one of the owner, it will do another search for all the files owned by the user and will display in the dashboard.

Thanks.

Tags (1)
0 Karma

niketn
Legend

@wiggler, Based on your description, you want to perform Table Drilldown on a.project.owner field.
Following is a run anywhere example which created two a.project.owner values.

Table drilldown has following notable behavior:
1) Owner value is passed on to the second search only if a row in the a.project.owner field is selected. This is optional. As far as specific row with Owner Name you are interested in is clicked you can access the Owner value displayed in the table as explained in the next point.

   <condition field="a.project.owner">

2) a.project.owner value is access based on selected row using predefined table drilldown token $row.<fieldName>$

  <set token="tok_owner">$row.a.project.owner$</set>

3) Token to be used in second search is unset if any field other than a.project.owner is clicked. This is to hide the second panel and stop the search. This is also optional.

       <condition>
         <unset token="tok_owner"></unset>
       </condition>

Depending on your Splunk version I think 6.5 and 6.6 drilldown options are available directly from the UI edit option. However, it is better if you familiarize yourself with Simple XML drilldown coding as well.

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval a.project.owner="Test Owner1"
| append [| makeresults
| eval a.project.owner="Test Owner2"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="a.project.owner">
            <set token="tok_owner">$row.a.project.owner$</set>
          </condition>
          <condition>
            <unset token="tok_owner"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_owner$">
      <table>
        <title>$tok_owner$</title>
        <search>
          <query>| makeresults
| eval a.project.owner="Selected Owner - "."$tok_owner$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row> 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wiggler
Explorer

@niketnilay, I will try your solution and let you know with the results. thank you very much

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...