Many times, you will run across data in your events that you might not fully understand. For example, logs typically contain error codes that can be cryptic to figure out. You can use a lookup table to translate these error codes into something meaningful, if this makes sense. However, you can also create a workflow action to search the Internet for codes that, perhaps, you do not need to look up that often. Looking at what the greater web community has posted has certainly saved many administrators a sleepless night.
This recipe will show you how to build a workflow action that will allow you to take the status code from a search in Splunk and have it initiate a search in Google with the Google search terms already populated.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface.
Follow the steps in this recipe to create a workflow action that allows you to trigger a Google search for the error codes in your events:
- Log in to your Splunk server.
- Select the Operational Intelligence application.
- Click on the Settings menu.
- Click on the Fields menu option.
- Click on the Workflow actions link.
- Click on New.
- Ensure that the Destination app is set to operational_intelligence app.
- Enter
Google_Searchin the Name field. This name must not contain any spaces or special characters. It will be used as the internal name of the action and is not the text that will be made visible.
- Enter
Google HTTP Status $status$in the Label field. The label is the text that will appear in the workflow dropdowns. It can contain a field name enclosed with dollar signs, which will be replaced with the value of that field in the event. - Enter
statusin the Apply only to the following fields box.
- In the Show action in dropdown, select Both, and in the Action type dropdown, select link.
- In the URI field under Link configuration, enter
http://google.com/search?q=http%20status%20$status$and ensure that the Link method field is set to get.
- Click on Save to finish creating the new workflow action.
- Let's now test the workflow action and see what it does. In a new search bar of your Operational Intelligence app, enter the following search over Last 15 minutes:
index=main sourcetype=access_combined
- As in the previous recipe, once the results are displayed, click on the little down arrow next to an event, and then click on the Event Actions button. You will see an option in the dropdown to run the Google search on the status code in the event.
- Clicking on this option in the dropdown will open a new tab in the browser that passes the status code to https://www.google.co.in/, and a Google search is then performed for the status code in question.
This recipe is similar to the previous recipe in approach. When your search results are rendered in the event listing, Splunk will match the returned fields and event types with the workflow actions you have configured and present the dropdown workflow actions as required. In this case, the status field was matched with the Google workflow action you created.
The basic GET link method used in this recipe inserts the variable value into the URI for the user to click on. In this case, the $status$ field variable inserts the HTTP status code into the Google search query URI so that the status code is passed within the URI when it is clicked on.
By utilizing the field name substitution in the label and the URI, you can create a full array of dynamically named workflow actions that can be generated to enable your users to link to other internal or external resources.
While workflow actions can be a convenient way to link to external resources based on the presence of certain fields in your events, it is possible to link data to external resources in other ways.
Workflow actions work well when you are in an event-based view, but sometimes you might wish to perform a Google search when looking at data within a visualization. By adding some simple modifications to the SimpleXML in a chart element, you can have the chart linked to Google as well.
<drilldown> <link target="_blank">http://google.com/search?q=$row.sourcetype$ </link> </drilldown>
You can replace $row.sourcetype$ with the correct chart variable you need to pass to your Google search.