Splunk Search

Perform another search from the search result

wiggler
Explorer

Hi Splunk Gurus,

I am not sure what is the term to use about my question, so I will explain it so everyone will understand.

Let say I have a dashboard and the query for my dashboard is something like this:

| dbxquery connection=DATAFILES query="select a.project.dir, a.project.location, a.project.owner, b.fileinfo.filename from project a, fileinfo b WHERE b.fileinfo.id = a.project.id

What I want to achieve is that, if user click one of the owner, it will do another search for all the files owned by the user and will display in the dashboard.

Thanks.

Tags (1)
0 Karma

niketnilay
Legend

@wiggler, Based on your description, you want to perform Table Drilldown on a.project.owner field.
Following is a run anywhere example which created two a.project.owner values.

Table drilldown has following notable behavior:
1) Owner value is passed on to the second search only if a row in the a.project.owner field is selected. This is optional. As far as specific row with Owner Name you are interested in is clicked you can access the Owner value displayed in the table as explained in the next point.

   <condition field="a.project.owner">

2) a.project.owner value is access based on selected row using predefined table drilldown token $row.<fieldName>$

  <set token="tok_owner">$row.a.project.owner$</set>

3) Token to be used in second search is unset if any field other than a.project.owner is clicked. This is to hide the second panel and stop the search. This is also optional.

       <condition>
         <unset token="tok_owner"></unset>
       </condition>

Depending on your Splunk version I think 6.5 and 6.6 drilldown options are available directly from the UI edit option. However, it is better if you familiarize yourself with Simple XML drilldown coding as well.

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval a.project.owner="Test Owner1"
| append [| makeresults
| eval a.project.owner="Test Owner2"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="a.project.owner">
            <set token="tok_owner">$row.a.project.owner$</set>
          </condition>
          <condition>
            <unset token="tok_owner"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_owner$">
      <table>
        <title>$tok_owner$</title>
        <search>
          <query>| makeresults
| eval a.project.owner="Selected Owner - "."$tok_owner$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row> 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wiggler
Explorer

@niketnilay, I will try your solution and let you know with the results. thank you very much

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!