Splunk Search

Send Drilldown Search to a New Window

landen99
Motivator

I want to click on an entry in a table and see the record or records behind it in a new window.
I found one question which may be similar to this (http://answers.splunk.com/answers/28208/how-to-drill-down-launch-another-search-with-parameter-from-...), but the OP brought in XML code and the answer didn't lend itself at all to what I am after.

It may be nice to have the drilldown simply launch new searches in new tabs/windows, but when I look at a row, I am mostly interested in seeing the rest of the details behind the event or events which created it without losing the search already on the screen. In many cases, having the current results up for comparison against the details of the event(s) is preferred.

Lowell
Super Champion

Because I use Splunk Answers as my own personal knowledge base, here's a single consolidated answer that includes a few tricks I just discovered...

The follows shows a few things:

  1. The use of an extra token to store the drill-down search string using a <set>
  2. How to handle a field="value with spaces" in your search. (Using the $token|s$ syntax)
  3. How to avoid manually URL encoding a Splunk search string (using the $token|u$ syntax)
  4. How to avoid hard-coding the app-path prefix. (Not sure this ALWAYS works, but seems to work for me)

Example Simple XML:

<dashboard>
  <label>Example - Drilldown to a different page</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd | cluster showcount=true | sort - cluster_count | table _time, log_level, component, message</query>
          <earliest>-1h@m</earliest>
          <latest>@m</latest>
        </search>
        <option name="drilldown">row</option>
        <drilldown target="_blank">
          <set token="drilldown_srch">index=_internal sourcetype=splunkd $row.log_level$ $row.component$ message=$row.message|s$</set>
          <link>search?q=$drilldown_srch|u$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

kranzrm
Path Finder

Great solution! This worked well for me.

0 Karma

dflodstrom
Builder

This is a very nice way to do this!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you using SimpleXML?

If so, take a look at this: http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/PanelreferenceforSimplifiedXML#Drilldown_eleme...
You can specify a target attribute for the drilldown element to control where the click leads to.

landen99
Motivator

All drilldowns should launch in a new tab. My understanding is that default drilldowns are when you click a field in the search results. I know that you can click a fieldname on the left and drilldown through those fields but I don't know if they qualify as default drilldowns or custom drilldowns. I can't think of any other kind of drilldown example at the moment. What are the various kinds and how are they different in the XML treatment? Are drilldowns in searches considered different from drilldowns in dashboards, except in the ability to manipulate the XML?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Wait... are you trying to run the default drilldowns in a new window or are you trying to run custom drilldowns in a new window?

0 Karma

landen99
Motivator

The client manages to launch searches just fine within the same window. Isn't there a way for any drilldown click to just tell it to, "Send that drilldown search to another tab and leave this tab alone." ? I have tried right clicking where it would drilldown in order to copy the url for the search which the drilldown would execute, but I am not seeing any "copy link address" option, even though I can see the url of the search at the bottom of the web browser. Is there a way to enable that option?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The link tag content tells Splunk where you want to drill down to, and what data you want to pass. There's no one-size-fits-all answer to that for every imaginable custom drilldown.

0 Karma

landen99
Motivator

The browser can create and save .bat files and .txt files. It can launch .bat files to load notepad with the new file.

The sandbox isolates tabs from each other and from main memory so that they cannot steal information.

On the issue of launching a drilldown search into a new window, what content would be appropriate for the link tag? Does this link tag have to be customized for each dashboard panel search? Is there no "leave my current tab alone and do your Splunk search work in another tab" general user option/setting? If not, where would be the best place to suggest such a feature?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You will have to replace the content of the link tag with your drilldown destination and passed fields.

I don't think JavaScript is allowed to somehow communicate with external programs such as notepad, that would seriously violate the browser sandbox.

0 Karma

landen99
Motivator

Will that code work verbatim to launch a Splunk drilldown search in a new window or do I have to put something specific into the "your_page" part of your code?

Is there a way to throw the field or row values into notepad, instead of the clipboard?

Added:
Any way to launch drilldown searches from the standard search bar into new window, too (not dashboard).

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You're looking for something like this:

<drilldown target="_blank">
  <link>your_page?field=$field_name$</link>
</drilldown>

As for copying stuff to the clipboard, JavaScript cannot access the clipboard in any modern browser for security reasons.

landen99
Motivator

Based on your feedback and the link that you provided above, I believe that the code to send drilldown to a new window would be added between the table code tags as:

~~<drilldown>
  <link>
      _blank
  </link>
</drilldown>~~

Does that look right?

Field passing to Splunk, other webpages, etc. seems to require XML customization of each Panel in a dashboard.

Is there a way to pass the data in a row straight to the clipboard when clicked?

~~<drilldown>
  <link field="A">
      clipboard=$dest_value$
  </link>
</drilldown>~~

Am I on the right trail?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yeah, that's SimpleXML. Not sure if the target attribute is available in the UI, you can always choose Edit Source and add the attribute there.

0 Karma

landen99
Motivator

So when I click "edit Panel", that is SimpleXML? Where would the "_blank" go using that gui interface? I am familiar with the drilldown gui controls under the "edit Panels" option, Panel-General menu.

Sidenote: Also, I learned the hard way that text from search results cannot be highlighted while in Panel edit mode.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You're using SimpleXML if you have the graphical drag-and-drop dashboard editor available.

0 Karma

landen99
Motivator

How do I know if I am using SimpleXML? The only time I notice XML is when I am editing a dashboard using the XML option. Your reference mentioned adding a "_blank" to the link, but where are the SimpleXML code and the link option within it?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...