Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Renaming regex returned token values and passing old token value(before they were renamed) to a drilldown search query i

nsingh49
Explorer
‎09-05-2021 01:00 PM

I have a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart:

            someSearchQuery|rex "someTerm(?<error>)|stats count by error|sort -count | head 10

I want to use the values returned by the query in a drill down such that on click on barchart the drilldown displays result for that value

the drilldown xml i used for setting token is this

        <drilldown>
            <set token="show_panel">true</set>
            <set token="selected_value">$click.value$</set>
       </drilldown>


and then I use this token in the drilldown query as such


someSearchQuery|rex "someTerm(?<error>)|search error=$selected_value$|timechart count by errorType span="1m"|addcoltotals|rename NULL as count


These error name are too technical and i want to change them in the main panel and drilldown.


for e.g. if regex returns error"ID not found", I want to replace it with "Data_error"
also i want my title to change with the general name


        <title>$$selected_value$</title>

But the problem is when I change the name using eval, the drilldown query doesnot get the actual error name and search fails becuase there is no such error as "Data_error". the query needs
"ID not found" to fucntion.

Is there any way this can be achieved?Can I change the name of my searchTerm and at the same time use the old searchTerm in drilldown query as well?

 

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2021 12:31 AM

Change the names with an eval in the search as you did before, then change it back in the drilldown eval

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2021 02:18 PM

Set an additional token in the drildown - you probably want to use an eval rather than set

        <drilldown>
            <set token="show_panel">true</set>
            <set token="selected_value">$click.value$</set>
            <eval token="converted_value">case($click.value$="ID not found","Data_error",$click.value$="some other code","some other value")</eval>
       </drilldown>
0 Karma
Reply
Solved! Jump to solution

nsingh49
Explorer
‎09-05-2021 10:31 PM

This worked great for the drilldown panel. Is there a way to update it in the main panel as well and replace technical name with a general name(the barchart column name)?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2021 12:31 AM

Change the names with an eval in the search as you did before, then change it back in the drilldown eval

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...