Search with original text that was replaced earlier

Question

I am gathering performance metrics for each each api that we have. With the below query I get results as

method response_time
Create Billing 2343.2323

index="dev-uw2" logger_name="*Aspect*" message="*ApiImpl*"  | rex field=message "PerformanceMetrics - method='(?<method>.*)' execution_time=(?<response_time>.*)" | table method, response_time   | replace "public com.xyz.services.billingservice.model.Billing com.xyz.services.billingservice.api.BillingApiImpl.createBilling(java.lang.String)” WITH "Create Billing” IN method

If the user clicks on each api text in table cell to drill down further it will open a new search with "Create Billing" obviosuly it will give zero results since we don't have any log with that string.

I want splunk to search with original text that was replaced earlier.

score 0 · Answer 1 · answered Dec 10 '17 at 20:47

0

You can use click.value to get around this.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/tokens

answered Dec 10 '17 at 20:47

skoelpin

212
1
5

Search with original text that was replaced earlier

1 Answers1