Hello.
I'm trying to pass a clicked value into a search with a drill down. How would I do this? I've tried using the following:
<drilldown>
<condition field="Exceptions">
<link>![CDATA[
/en-US/app/search/search?q=search%20host%3D"inf012prd*.ipacc.com"%20source%3D"%2Flogging%2FPaymentsServiceV3%2Finf012prd*.ipacc.com%2Ferror.log"&earliest=%40d&latest=now&sid=1434981359.49340q=$click.name2$
]]</link>
</condition>
</drilldown>
However, that only gives me a "the search was not found" error. What am I doing wrong?
EDIT: After searching around, I tried using <searchstring> in the XML, but using that didn't bring me to my destination when I clicked on the field in my chart.
In that URL there is a search ID. Search IDs (the search) expires after 15 mins. Try removing the SID from the URL. Something like:
/en-US/app/search/search?q=search%20host%3D"inf012prd*.ipacc.com"%20source%3D"%2Flogging%2FPaymentsServiceV3%2Finf012prd*.ipacc.com%2Ferror.log"&earliest=%40d&latest=now&q=$click.name2$
Why is there 2 searches (q=) in the URL? I see you are just passing a token in the second search, without a search command. Why is this not included in the first search?
I added the second "q=" because the Splunk documentaton said to format it like this:
<link> URL?q=$dest_value$ </link>
I removed the second search and placed the token in the first, but I'm still getting the same error.
Ok, I tried this, but I'm still getting the same error. Good call on the search id, though.