Hi, I have some sample/fake data represented as a table. When I click a value under ip
, a drill down action is supposed to be ran based on if one of the 3 specific fields has a 1
as its value. How do I reference the fields here?
ip jim_pc sally_pc joe_pc
11.11.11.1 1 0 0
22.22.22.2 0 1 0
Here's the piece of my xml that seems to always stores null
in the token:
<drilldown>
<eval token="first_valid_source">case(jim_pc == 1, "jimmy", sally_pc == 1, "sally", joe_pc == 1, "joseph")</eval>
...
</drilldown>
@Vijeta
My workaround for this was to use multiple condition tag where where each field that needed a drilldown has their own condition. The notable thing I learned was in order for this to work, I needed to have "https://....(etc)" infront of the search query -- unlike my original setup.
Here is a sanitized example condition for the ip
field:
<drilldown>
<condition field="ip">
<link target="_blank">https://sanitized-link-here.com/en-US/app/sanitizedApp/search?q=sourcetype= firstSourceType OR secondSourceType OR thirdSourceType ip = "$click.value$" | table ip Computer_Name MAC_Address Operating_System lastSeen | dedup ip&earliest=-7d&latest=now</link>
</condition>
</drilldown>
@Vijeta
My workaround for this was to use multiple condition tag where where each field that needed a drilldown has their own condition. The notable thing I learned was in order for this to work, I needed to have "https://....(etc)" infront of the search query -- unlike my original setup.
Here is a sanitized example condition for the ip
field:
<drilldown>
<condition field="ip">
<link target="_blank">https://sanitized-link-here.com/en-US/app/sanitizedApp/search?q=sourcetype= firstSourceType OR secondSourceType OR thirdSourceType ip = "$click.value$" | table ip Computer_Name MAC_Address Operating_System lastSeen | dedup ip&earliest=-7d&latest=now</link>
</condition>
</drilldown>
@russell120
Try using $result.jim_pc$
instead of jim_pc, $result.sally$
for sally and $result.joseph$
for joseph in your case statement.
@Vijeta Doing that returns:
404 Not Found
Return to Splunk home page
Page not found!
View more information about your request (request ID = xxxxxxxxxxxxxx) in Search
@russell120 Is that after you click on the drilldown link on your dashboard? what is the link?
@Vijeta Yes, it is after I click the link. I run a query with a CSV and a table is created (similar to the example given above). The "links" are any of the ip field values.
@russell120 - What is the URL generated for the link?
@Vijeta Sorry. The link is another search query:
<link target="_blank">search?q=sourcetype=$chosen_source_type$ ip = "$click.value$" | table $table_command_fields$ | dedup ip&earliest=-7d&latest=now</link>
@russell120 The link has to be a form or drilldown in splunk and not a search query. You need to either create another dashboard and pass these input parameters to the dashboard link.
This may be of help-
https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/DrilldownLinkToDashboard
@Vijeta So it's impossible to reference fieldnames in a case statement the way its done in the XML in line 2 in my original question?
@russell120 I am assuming you are using drilldown on table visualization, in a panel, you will anyways need a result token to access your result values from search query.
Also please go through the link I shared in my previous comment , it is explained in a better way with example in the document.