Splunk Search

Perform another search from the search result

wiggler
Explorer

Hi Splunk Gurus,

I am not sure what is the term to use about my question, so I will explain it so everyone will understand.

Let say I have a dashboard and the query for my dashboard is something like this:

| dbxquery connection=DATAFILES query="select a.project.dir, a.project.location, a.project.owner, b.fileinfo.filename from project a, fileinfo b WHERE b.fileinfo.id = a.project.id

What I want to achieve is that, if user click one of the owner, it will do another search for all the files owned by the user and will display in the dashboard.

Thanks.

Tags (1)
0 Karma

niketn
Legend

@wiggler, Based on your description, you want to perform Table Drilldown on a.project.owner field.
Following is a run anywhere example which created two a.project.owner values.

Table drilldown has following notable behavior:
1) Owner value is passed on to the second search only if a row in the a.project.owner field is selected. This is optional. As far as specific row with Owner Name you are interested in is clicked you can access the Owner value displayed in the table as explained in the next point.

   <condition field="a.project.owner">

2) a.project.owner value is access based on selected row using predefined table drilldown token $row.<fieldName>$

  <set token="tok_owner">$row.a.project.owner$</set>

3) Token to be used in second search is unset if any field other than a.project.owner is clicked. This is to hide the second panel and stop the search. This is also optional.

       <condition>
         <unset token="tok_owner"></unset>
       </condition>

Depending on your Splunk version I think 6.5 and 6.6 drilldown options are available directly from the UI edit option. However, it is better if you familiarize yourself with Simple XML drilldown coding as well.

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval a.project.owner="Test Owner1"
| append [| makeresults
| eval a.project.owner="Test Owner2"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="a.project.owner">
            <set token="tok_owner">$row.a.project.owner$</set>
          </condition>
          <condition>
            <unset token="tok_owner"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_owner$">
      <table>
        <title>$tok_owner$</title>
        <search>
          <query>| makeresults
| eval a.project.owner="Selected Owner - "."$tok_owner$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row> 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wiggler
Explorer

@niketnilay, I will try your solution and let you know with the results. thank you very much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...