I'm working on a dashboard that shows VPN logins and Citrix XenApp applications with inputs to select a specific business unit and facility name (actual location/complex).
The way I join a Citrix application with a facility and business unit is through three lookup tables:
props.conf:
[xenapp:65:session]
LOOKUP-table1 = business_units_facilities_applications application_name OUTPUTNEW facility_id
LOOKUP-table2 = business_units_facilities facility_id OUTPUTNEW facility_id facility_name bunit
LOOKUP-table3 = business_units bunit OUTPUTNEW bunit business_unit_name
FIELDALIAS-xenapp_fields = BrowserName AS application_name
transforms.conf:
[business_units]
filename = business_units.csv
[business_units_facilities]
filename = business_units_facilities.csv
[business_units_facilities_applications]
filename = business_units_facilities_applications.csv
So what's happening is that the xenapp:65:session contains a field called BrowserName, I alias this to application_name which is in the business_units_facilities_applications lookup. I get a new field facility_id which is used to look up facility_name and bunit in the second table.
The third table looks up the friendly business_unit_name based on bunit. It all works and every field is shown in the search, except when I start drilling down in my search on any of the fields from table2 or table3. Why is that? Here's an example:
When drilling down:
I'm running Splunk 6.1.4. I've tried doing default_match=* and min_matches=1 on the lookup definitions too. Is my SQL-esque way of thinking no good for Splunk lookup tables? Would I need to use a database and DB Connect in order to do this?
You would be able to drilldown better from a dashboard, not from a search view. See this for drilldown related help.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Viz/PanelreferenceforSimplifiedXML#Drilldown_eleme...
When setting up drilldown, you can use tokens like $row.<>$ to pass the values.
Also, could you validate if you can manually run below searches with results:
sourcetype=zenapp:*:session FarmName="*" BrowserName="*" NOT BroswerName="" user="*" ServerName="*"
business_unit_name=" Energi"
sourcetype=zenapp:*:session FarmName="*" BrowserName="*" NOT BroswerName="" user="*" ServerName="*"
| search business_unit_name=" Energi"
#comment: use the actual value for field business_unit_name
Not really looking to drill down in the traditional sense but rather be able to search on the business_unit_name field in the base search. The issue is that to get to that field I need to go through the other lookups. I would expect Splunk to get me to that field since it returns it on based on the automatic lookups in the general search. I might have to do some manual | lookup commands in the search and then the | search filter in the end but it's a bit counter-intuitive as I already have the automatic lookups defined. Let me try what you suggested which looks like a possible workaround. Could it simply be a bug?
You would be able to drilldown better from a dashboard, not from a search view. See this for drilldown related help.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Viz/PanelreferenceforSimplifiedXML#Drilldown_eleme...
When setting up drilldown, you can use tokens like $row.<>$ to pass the values.
Also, could you validate if you can manually run below searches with results:
sourcetype=zenapp:*:session FarmName="*" BrowserName="*" NOT BroswerName="" user="*" ServerName="*"
business_unit_name=" Energi"
sourcetype=zenapp:*:session FarmName="*" BrowserName="*" NOT BroswerName="" user="*" ServerName="*"
| search business_unit_name=" Energi"
#comment: use the actual value for field business_unit_name
Your "filter search" command solved it. I believe this is suboptimal as it has to fetch all results and then filter them. Any official comment on this would be more than welcome 🙂
If anyone can convert your comment to an answer that would be great.