Splunk Search

For drilldown, can I use an extracted field as a token value?


My token:



lobName is a field that I extracted using Rex statement; it isn't an actual field in the index I'm searching on. My drilldown is showing 0 results, but it looks like the token is being passed successfully, so I'm not sure what's going on. I have a similar dashboard where the tokens being passed are 'real' fields in the index, and the drilldown works just fine, so I thought maybe the issue here is that extracted fields cannot be tokens.

0 Karma

Esteemed Legend

Your XML works for me with very slight adjustment in v7.2.4; try this:

           <query>index=_internal | rex field=source "log\/splunk\/(?<file>.*)"|dedup source,file,sourcetype | table source,file,sourcetype</query>
         <option name="drilldown">cell</option>
           <eval token="log_filename">$row.file$</eval>
           <query>index=_internal source = "*$log_filename$"|dedup source | table source</query>
         <option name="drilldown">none</option>
0 Karma


Hi @blindfire_bandit

Please refer this and let me know

          <query>index=_internal | rex field=source "log\/splunk\/(?P<file>.*)"|dedup source,file,sourcetype | table source,file,sourcetype</query>
        <option name="drilldown">cell</option>
          <eval token="log_filename">$row.file$</eval>
          <query>index=_internal source = "*$log_filename$"|dedup source | table source</query>
        <option name="drilldown">none</option>
0 Karma


Sorry, I left out the set statement.

      <set token="LobNameTok">$row.lobName$</set>
0 Karma

Esteemed Legend

What you have shown should work. You need to provide more details.

0 Karma



Here is the xml in it's entirety. When I click on a row in the first table, I need it to pass the 'LobNameTok' token to the "Detail View" table (second table), so that the second table shows information that is only pertinent to that lob. See my where clause. From testing that I've done yesterday, I've concluded that the token IS being recognized by the second table when I click a row in the first. However, nothing is loading in the second table, it's just empty. I thought that perhaps it was an issue with lobName being a field that I extracted with rex() and not an actual field in my index. Maybe I have another issue that I'm not seeing.

      <query>index=ssi_rtc ("handled request with state Success" OR "handled request with state Errored")
        | where isnull(webService)
        | rex "message\" : (?&lt;server&gt;\w+)\.\.(?&lt;lobName&gt;\w+(\-[a-zA-Z]+){0,1})\-(?&lt;transactionType&gt;\w+)\."
        | where transactionType="270"
        | rex "\"RequestReceivedFromClientTimeUtc\"\:\"(?&lt;requestReceivedTimeText&gt;.+?)\""
        | rex "\"ReplySentToClientTimeUtc\"\:\"(?&lt;replySentTimeText&gt;.+?)\""
        | eval requestReceivedTime = strptime(requestReceivedTimeText,"%Y-%m-%dT%H:%M:%S")  
        | eval replySentTime = strptime(replySentTimeText,"%Y-%m-%dT%H:%M:%S") 
        | eval processingTimeInSeconds = replySentTime - requestReceivedTime 
        | stats avg(processingTimeInSeconds) as TimeAtLobSeconds by lobName
        | eval TimeAtLobSeconds = round(TimeAtLobSeconds, 0)
        | eval isFailure = if(TimeAtLobSeconds &gt; 20, 1, 0)
        | where (isFailure == 1) 
        | table lobName TimeAtLobSeconds
        | rename TimeAtLobSeconds as "Avg. Time at Lob (seconds)"
        | sort -"Avg. Time at Lob (seconds)"</query>
    <option name="count">10</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
      <set token="LobNameTok">$row.lobName$</set>
  <title>270 - Payer Latency (Detail View)</title>
      <query>index=ssi_rtc ("handled request with state Success" OR "handled request with state Errored") 
         | rex "\"message\"\s\:\s(?&lt;server&gt;[A-Z]+)\.\.(?&lt;lobName&gt;[A-Z].+?)\."
        | where (lobName == $LobNameTok$ and isnull(webService)) 
        | eval requestReceivedTime = strptime(requestReceivedTimeText,"%Y-%m-%dT%H:%M:%S")  
        | eval replySentTime = strptime(replySentTimeText,"%Y-%m-%dT%H:%M:%S") 
        | eval processingTimeInSeconds = (replySentTime - requestReceivedTime) 
        | stats avg(processingTimeInSeconds) as TimeAtLobSeconds by lobName
        | table lobName TimeAtLobSeconds
        | rename lobName as "Lob Name", TimeAtLobSeconds as "Time at Lob"
        | sort -_time</query>
0 Karma
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...