Solved: How to access a fieldname within a case statement ...

russell120 · ‎02-06-2019

Hi, I have some sample/fake data represented as a table. When I click a value under ip, a drill down action is supposed to be ran based on if one of the 3 specific fields has a 1 as its value. How do I reference the fields here?

     ip      jim_pc  sally_pc  joe_pc
11.11.11.1     1        0        0
22.22.22.2     0        1        0

Here's the piece of my xml that seems to always stores null in the token:

<drilldown>
<eval token="first_valid_source">case(jim_pc == 1, "jimmy", sally_pc == 1, "sally", joe_pc == 1, "joseph")</eval>
...
</drilldown>

russell120 · ‎02-12-2019

@Vijeta

My workaround for this was to use multiple condition tag where where each field that needed a drilldown has their own condition. The notable thing I learned was in order for this to work, I needed to have "https://....(etc)" infront of the search query -- unlike my original setup.

Here is a sanitized example condition for the ip field:

<drilldown>
      <condition field="ip">
        <link target="_blank">https://sanitized-link-here.com/en-US/app/sanitizedApp/search?q=sourcetype= firstSourceType OR secondSourceType OR thirdSourceType ip = "$click.value$" | table ip Computer_Name MAC_Address Operating_System lastSeen | dedup ip&amp;earliest=-7d&amp;latest=now</link>
      </condition>
</drilldown>

View solution in original post

russell120 · ‎02-12-2019

@Vijeta

My workaround for this was to use multiple condition tag where where each field that needed a drilldown has their own condition. The notable thing I learned was in order for this to work, I needed to have "https://....(etc)" infront of the search query -- unlike my original setup.

Here is a sanitized example condition for the ip field:

<drilldown>
      <condition field="ip">
        <link target="_blank">https://sanitized-link-here.com/en-US/app/sanitizedApp/search?q=sourcetype= firstSourceType OR secondSourceType OR thirdSourceType ip = "$click.value$" | table ip Computer_Name MAC_Address Operating_System lastSeen | dedup ip&amp;earliest=-7d&amp;latest=now</link>
      </condition>
</drilldown>

Vijeta · ‎02-06-2019

@russell120

Try using $result.jim_pc$ instead of jim_pc, $result.sally$ for sally and $result.joseph$ for joseph in your case statement.

russell120 · ‎02-06-2019

@Vijeta Doing that returns:

404 Not Found

Return to Splunk home page

Page not found!
View more information about your request (request ID = xxxxxxxxxxxxxx) in Search

Vijeta · ‎02-06-2019

@russell120 Is that after you click on the drilldown link on your dashboard? what is the link?

russell120 · ‎02-06-2019

@Vijeta Yes, it is after I click the link. I run a query with a CSV and a table is created (similar to the example given above). The "links" are any of the ip field values.

Vijeta · ‎02-06-2019

@russell120 - What is the URL generated for the link?

russell120 · ‎02-06-2019

@Vijeta Sorry. The link is another search query:

<link target="_blank">search?q=sourcetype=$chosen_source_type$ ip = "$click.value$" | table $table_command_fields$ | dedup ip&earliest=-7d&latest=now</link>

Vijeta · ‎02-06-2019

@russell120 The link has to be a form or drilldown in splunk and not a search query. You need to either create another dashboard and pass these input parameters to the dashboard link.

This may be of help-

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/DrilldownLinkToDashboard

russell120 · ‎02-06-2019

@Vijeta So it's impossible to reference fieldnames in a case statement the way its done in the XML in line 2 in my original question?

Vijeta · ‎02-06-2019

@russell120 I am assuming you are using drilldown on table visualization, in a panel, you will anyways need a result token to access your result values from search query.
Also please go through the link I shared in my previous comment , it is explained in a better way with example in the document.

How to access a fieldname within a case statement inside XML tags?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk