Hello @kamlesh_vaghela Use Case: The current requirement is to fetch the base events from Contributing events for a Notable event using Splunk Search Rest API. Reference https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs As part of the Post Search action, we have rule_id & timestamp. in response <sid>(Search ID) is returned . With help of this <sid> <drilldown> parameteres. like <drilldown_name>,<drilldown_latest>,<drilldown_earliest>,<drilldown_search> & <src> fields we need to make search query. My question is based on these drilldown parameters how do I make the search query for fetching the base events using <drilldown_search>? "drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$" This is API URL for post action: https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/RESTREF/RESTsearch#search.2Fjobs https://<host>:<mPort>/services/search/jobs Where and all fields do I need to replace the '$src$' value and frame the query? Thanks, Mahalaxmi
... View more