Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use special parameters in workflow actions

There are special parameters for workflow actions that begin with an "@" sign. Two of these special parameters are for field menus only. They enable you to set up workflow actions that apply to all fields in the events to which they apply.

  • @field_name - Refers to the name of the field being clicked on.
  • @field_value - Refers to the value of the field being clicked on.

The other special parameters are:

  • @sid - Refers to the sid of the job that returned the event
  • @offset - Refers to the offset of the event in the job
  • @namespace - Refers to the namespace from which the job was dispatched
  • @latest_time - Refers to the latest time the event occurred. It is used to distinguish similar events from one another. It is not always available for all fields. @latest_time is not supported by Dashboard Studio.

Example - Create a workflow action that applies to all fields in an event

You can update the Google search example discussed in Set up a GET workflow action so that it enables a search of the field name and field value for every field in an event to which it applies. All you need to do is change the title to Google this field and value and replace the URI of that action with http://www.google.com/search?q=$@field_name$+$@field_value$.

This results in a workflow action that searches on whichever field/value combination you're viewing a field menu for. If you're looking at the field menu for sourcetype=access_combined and select the Google this field and value field action, the resulting Google search is sourcetype accesscombined.

Remember: Workflow actions using the @field_name and/or @field_value parameters are not compatible with event-level menus.

Example - Show the source of an event

This workflow action uses the other special parameters to show the source of an event in your raw search data.

The Action type is link and its Link method is get. Its Title is Show source. The URI is /app/$@namespace$/show_source?sid=$@sid$&offset=$@offset$&latest_time=$@latest_time$.

Last modified on 14 July, 2023
PREVIOUS
Set up a search workflow action
  NEXT
About tags and aliases

This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters