8

How can I get a url to a specific splunk event from a list of splunk events returned by a search?

If it's not possible, and I need to create a search that only returns that event, is there some unique id for each event that I can use in the query?

Rob Bednark
  • 25,981
  • 23
  • 80
  • 125

2 Answers2

5

In your search results, click the event time. In a popup that appears, click "At this time". This will create another search with only this one event selected. Now you can share your search as usual, e.g. by copying the link from the browser's navigation bar.

enter image description here

SnakE
  • 2,355
  • 23
  • 31
  • 1
    Not exactly what I was looking for (it specifies a time rather than an id; there potentially could be multiple logs matching that time). But it seems like a workable solution. – Rob Bednark Oct 07 '20 at 21:41
  • 1
    @RobBednark Indeed it's not ideal. I had a case where this method selected two events which had exactly the same timestamp. However I still haven't seen any better way. – SnakE Oct 08 '20 at 22:48
1

You can use conditional linking to link to a specific event from a list.

The <condition> element allows you to get a particular event or other value, and use that value to build your link.

Here's an example from the Splunk conditional linking documentation:

<drilldown>
  <condition field="A">
    <link>[target_URL]?q=$[value_from_field_A]$</link>
  </condition>

  <condition field="B">
    <link>[other_target_URL]?q=$[value_from_field_B]$</link>
  </condition>
</drilldown>

Depending on the event that you want to target, you could use a value specific to that event (timestamp, source, etc.) to build the link.

freginold
  • 3,946
  • 3
  • 13
  • 28