Export dilldown search with variables substituted - Splunk Community

Splunk Search

Hi Team,

I have a query related to drilldown searches of notables. I want to export/show results of drilldown searches with variables substituted corresponding to each notable.

Example, consider following search:
`notable` | search event_id="XXXXXX" | table drilldown_search,drilldown_earliest,drilldown_latest

The above search will give me drilldown search but with variables not substituted. I want the variables to be substituted in the search results.

Actual result of above search - index=abc action=failure user="$user$"

Desired output - index=abc action=failure user="johndoe@example.com"

Let me know if any further info is needed. Thanks in advance.

Regards,

Shaquib

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...