Splunk Search

Can I set a specific link for a given field in a search table

Andrew_Banman
Explorer

Hi there folks,

I am building a custom alerts dashboard based on a search that returns a table (see demo screen below). I have it doing a lookup and adding a few custom fields I need based on the specific types of alerts found. Now I want to add a link to the dashboard so the user can go directly to the correct dashboard based on the specific alert. Unfortunately, the link I added based on a lookup doesn't actually work. This link is just a standard table drilldown.

Any ideas on how I can make my field use the link I give it? Can I specifiy this link in some part of the search so that when the table renders this field will use my link rather than a standard drilldown.

Here is the search in case it matters:

index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as local_dashboard_url | table trigger_time, ss_name, severity, local_support_team, local_dashboard_url

And here is a picture of the search thus far to give you context. As you can see I have an URL in the last field that I want to use. But my URL doesn't get used, it's just the standard drilldown URL used by default in Splunk tables.

alt text

Thanks for any thoughts you have 🙂

Tags (2)
0 Karma

Andrew_Banman
Explorer

Nice, thanks. It's working now. I appreciate the help 🙂

0 Karma

Flynt
Splunk Employee
Splunk Employee

Just a note on this -

Make sure your application.js points to the correct views -

case "my_view": case "my_other_view":

---> These should match your view names exactly(make sure you don't use the .xml extension)

Let us know how it turned out!

0 Karma

Andrew_Banman
Explorer

OK, as often with Splunk documentation things look pretty easy but I don't get the desired results immediately. I guess I am missing something. Perhaps you can spot my error.

Per the docs ....

1) I've added the 2 critical bits to my Advanced XML. Ensuring that drilldown is set to row and that the module "NullModule" is added.

2) I went back to my search and ensured that the link field was first in the table and that it was properly labeled as "link".

Unfortunelately it still doesn't do what I want it too. When I click it just launches the result set as usual.

Here is a snippet of the AdvancedXML for this panel in case you can spot my error:

Advanced XML Snippet

Here is the tweaked search to make sure "link" is used first:

index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as link | table link, trigger_time, ss_name, severity, local_support_team | rename trigger_time AS TIME, ss_name AS SEARCH_NAME, severity AS SEVERITY, local_support_team AS SUPPORT_TEAM

And here is a screenshot of the output that unfortunately doesn't launch my custom link yet:

Screenshot

0 Karma

Andrew_Banman
Explorer

Thanks for this tip, I will start working through the doc you refenced. I hope this will get me there 🙂

0 Karma

jonuwz
Influencer

Walkthrough here

If you don't want the link in the 1st column, you'll need to change the drilldown for SimpleResultsTable to 'all'.

You may also need to override the drilldown for the other fields too.

Probably easier all round to keep the link in the 1st column..

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...