Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass a field value to a "Link to search" SPL query from a Dashboard table?

tdavison76
Path Finder
‎12-02-2024 06:50 AM

Hello,

I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out.

I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.  

I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query:

source="udp:514" host="$host$.doman.com"

but, of course failed, it just get's replaced with "*".

I'm sure I'm probably way off on how to do this, but any help would be awesome. 🙂 

Thanks in advance.

Tom

Labels (1)
Labels
0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:16 AM

Hey guys,

Thanks for the quick help, still stuck for some reason.  So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason.  Here's the config:

tdavison76_0-1733155819842.png

Here's the resulting search:

tdavison76_1-1733155959129.png

Here's the table query:

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| eval c_time=strftime(Time,"%m/%d/%Y %H:%M:%S")
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| rename _time as "Date"
| eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S")
| table Date, host, ServiceGroup, Name, Status, LastStatus

 

And, here's a screenshot of the table if helpful. 🙂 

tdavison76_2-1733156117157.png

 

Thanks again for the help on this one, very much appreciated.

Tom

 

 

 

 

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 08:26 AM

Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, then log out of splunk, close browser and clear cache/cookies, log into splunk, and reload dashboards.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 08:45 AM

Thanks,  I tried the steps, but same thing occurred.  I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works.  Looks like either an issue with Studio, of maybe it's just done differently.  🙂

Thanks again,

Tom

 

0 Karma
Reply

dural_yyz
Motivator
‎12-02-2024 10:56 AM

I had assumed you were doing Classic XML to start, Dashboard Studio is slightly different I can try testing later.

0 Karma
Reply

tdavison76
Path Finder
‎12-02-2024 11:55 AM

Sorry about that, I didn't think it would matter.  Looks like it does.  I've created a Support ticket for this as well.  Hopefully, they'll get back to me.  If they do, I'll let you know the solution with Studio. 🙂

Thanks again,

Tom

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 12:23 PM

In Dashboard Studio it's $row.<<fieldname>>.value$.

$row.host.value$
---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Motivator
‎12-02-2024 07:45 AM

dural_yyz_0-1733154299777.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 08:16 AM

This is a better answer than mine.  $results$ will only pick up the first result rather than the row clicked.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2024 07:32 AM

Use $results.host$

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...