Splunk Search

Hyperlink a incident value to an external URL

jerinvarghese
Communicator

I have below output from the splunk querry.

    Hostname    INC Number  Urgency Time_CST    Description
1   CMPS3   INC000013   3-Medium    03/31/20 09:22:31
2   USBTNBTRF   INC000014   3-Medium    03/31/20 08:31:44
3   GQPCW   INC000015   2-High  03/31/20 08:28:43

I have the incident number in the table,
How i give a hyper link to those Incident number to my Icident management URL specific to the incident.

Code that I use:

index=itsm sourcetype=remedy_midtier *Incident_Number* *Host:* NOT *-VO* NOT *WSG* NOT *IPA* NOT *ADS* NOT *-SEC* NOT "*WLNSGW*" AND ("*-LAN*" OR "*-WAN*" OR "*-APN*") AND "Node is down"
| search $timetestD$ | rex field=_raw "Incident_Number\W(?<ITSM_Number>.*)\W\WIncident_Number\W.*" 
| rex field=_raw "(Host:\s)(?<Hostname>[^\.<]+\.)" | eval Hostname = upper(Hostname)
| rex field=_raw "(Urgency:\s)(?<Urgency>\S-\D*[{lmwh}$])"
| rex field=_raw "(AlertID:\s)(?<AlertID>[^\D*]+)"
| rex field=_raw "(Open\s:\s)(?<Description>[^\.*]+)"
| top  limit=10000 Hostname, ITSM_Number, _time , Urgency, AlertID, Description |eval Hostname=replace(Hostname,"[.]","")
| dedup ITSM_Number | rename Hostname as nodelabel
 | eval Time_CST=_time
   | sort -Time_CST
    | fieldformat Time_CST=strftime(Time_CST,"%x %X")
| rename nodelabel as Hostname, ITSM_Number as "INC Number", AlertID as "Alert ID"
| table Hostname, "INC Number",Urgency, Time_CST, Description | eval Description=substr(Description,1,150) 
|sort -Time_CST
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's the way to figure that out.

1) Take your incident number (INC000013) from the output, and go to your incident management system. Enter that incident number.

2) Next, take the URL from the browser and copy the whole URL to a text editor. Let's say it looks like this:

 http://my.whole.url.com/somesystem/somefolder?&GRC=INC000013&fubar=no&something="xxx";

3) Take that entire url, and put it into some test SPL, then add any escape characters needed. Make sure it comes out the same when you run it as the original you copied.

| makeresults 
| eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=INC000013&fubar=no&something=\"xxx\""

4) Now do the same thing, but put the incident number in a different field and concatenate them to build the URL. Use the same name for that incident field as you are using in your other program.

 | makeresults 
 | eval incident="INC00013"
 | eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=".incident."&fubar=no&something=\"xxx\""

5) When that last line is making the exact URL you want, take the last line and put it into your other SPL, and you have what you want.

0 Karma

to4kawa
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...