Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?

splunkrocks2014
Communicator
‎01-18-2017 07:57 AM

Assuming I defined a correlation search in Splunk Enterprise Security as the following:

    index="_internal" sourcetype="splunkd" log_level="INFO" | stats count by name message | rename name AS "alert name"

How can I pass the token "alert name" to the drilldown search?

Thanks.

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎01-23-2017 07:35 AM

I have been looking over some previous questions like this and I am running into the same issues you have encountered. I am trying to understand where you are trying to get at the end of the day though.

I realize your example search is very generic, but why are you looking to rename that value to a multi word value? Is that associated with how you want it to be shown on the Incident Response page? If so, could that be solved in a different manner in the ES Config - Incident Review Settings - Incident Review Field Attributes?

That way the drill down could stay as search index=Internal $name$ as you have in the example, but the display would show Alert Name when you expand the notable event.

That may not be where you are going with this but figured I would throw that out.

Hope this helps...

0 Karma
Reply

somesoni2
Revered Legend
‎01-18-2017 08:39 AM

Assuming you want to drilldown when you click on any rows of your search results, you can try as suggested in below sample/runanywhere dashboard.

<form>
  <label>ForTest_Delete</label>
    <row>
    <panel>
      <table>
        <title>Fired Alerts - token=$alertname$</title>
        <search>
          <query>index=_internal sourcetype=scheduler status=success alert_actions=summary_index | stats count by savedsearch_name | rename savedsearch_name as "Alert Name"</query>
          <earliest>-15m</earliest>
        <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <drilldown>
          <set token="alertname">$row.Alert Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

splunkrocks2014
Communicator
‎01-18-2017 09:21 AM

Hi somesoni2, thank you for your information. However, this is related to the correlation search from Splunk Enterprise Security (app), and it is not related to dashboard creation. Please see "Drill-down search" (field) from the image below:

alt text

Reply

somesoni2
Revered Legend
‎01-18-2017 09:50 AM

It says "Supports variable substitution with fields from the matching event", so have you tried using search $alert name$?? Or search %alert name% ?

0 Karma
Reply

splunkrocks2014
Communicator
‎01-18-2017 11:11 AM

It doesn't work in either format.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...