- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- link to search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
link to search
I have a coloum chart with values displaying.
I select "configure link to a search"
when I click on coloum bar it opens the results in new windows. Problem is that beside showing act=unspecified|quarantine, it get the "number/count of event"
below is my query appear in searchbar:
iindex=trend sourcetype=e** cat="*e" **act=24 | dedup fixxth | table xxcxoxt fixxaxxh act TxxrxdMxxxroxxxleSHA1
search in the drilldown editor query is below:
iindex=trend sourcetype=*e act=$click.value2$ | dedup fixxth | table xxcxoxt fixxaxxh act TxxrxdMxxxroxxxleSHA1
Please help to fix this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand your question, you want a click on a row to open a search which specifies the 'act' field in the new search?
If that's correct, try this:
index=trend sourcetype=**e* act=$row.act$ | dedup fixxth | table xxcxoxt fixxaxxh act TxxrxdMxxxroxxxleSHA1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a chart showing top 10 values.
when I click on bar it should show me the values instead of act=24.
I want to values of that fields beside the count.
act=block|quarantine
instead of act=24
I am using act=$click.value2$ but instead taking the values=block|quarantine, he toold value(act=24)
hope you understand my query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Nick,
I have a chart showing top 10 values.
when I click on bar it should show me the values instead of act=24.
I want to values of that fields beside the count.
act=block|quarantine
instead of act=24
I am using act=$click.value2$ but instead taking the values=block|quarantine, he toold value(act=24)
hope you understand my query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @rashid47010
u want to remove that link to search ust add in your proprties..
<option name="drilldown">none</option>
Harish
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
