I looked through the docs and other Splunk Answers, but it still isn't making sense to me, so please bear with me. 🙂
I have a simple "top" chart on a dashboard that lists web categories, their count, and percentage. I would like to be able to click on one of those categories and open a new search, in a new window (or tab), and insert that clicked category into a new search like this:
index=index type=type subtype=subtype action=action category=**CLICKED CATEGORY** | table _time srcip level dstip SourceZone reqtype service hostname url referralurl sentbyte rcvdbyte action msg catdesc crscore crlevel
How would I go about doing this?
Thanks for your continued, great help!
Here is some good documentation on this.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/Dynamicdrilldownindashboardsandforms
Basically, you will need to add a <drilldown target="_blank">
tag to your xml, something like this
<drilldown target="_blank">
<link>/app/search/search?q=search%20index%3D_internal%20sourcetype%3Dsplunkd%20log_level%3D$row.log_level$</link>
</drilldown>
Here is some good documentation on this.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/Dynamicdrilldownindashboardsandforms
Basically, you will need to add a <drilldown target="_blank">
tag to your xml, something like this
<drilldown target="_blank">
<link>/app/search/search?q=search%20index%3D_internal%20sourcetype%3Dsplunkd%20log_level%3D$row.log_level$</link>
</drilldown>
Thanks for the answer! But how would I setup the link to a normal search like the example I have above?
You can basically use any URL encoder online tool to transform your query
Query that needs to be run:
index=index type=type subtype=subtype action=action category=**CLICKED CATEGORY** | table _time srcip level dstip SourceZone reqtype service hostname url referralurl sentbyte rcvdbyte action msg catdesc crscore crlevel
URL Encoded search:
index%3Dindex+type%3Dtype+subtype%3Dsubtype+action%3Daction+category%3D%24row.category%24+%7C+table+_time+srcip+level+dstip+SourceZone+reqtype+service+hostname+url+referralurl+sentbyte+rcvdbyte+action+msg+catdesc+crscore+crlevel
OR can use this runanywhere splunk search do that
| gentimes start=-1 | eval url=urlencode("Enteryourfullsearch here. escaping of double quotes would be required")
I actually got it working. Thanks for the help!