Use special parameters in workflow actions
There are special parameters for workflow actions that begin with an "@" sign. Two of these special parameters are for field menus only. They enable you to set up workflow actions that apply to all fields in the events to which they apply.
- @field_name - Refers to the name of the field being clicked on.
- @field_value - Refers to the value of the field being clicked on.
The other special parameters are:
- @sid - Refers to the sid of the job that returned the event
- @offset - Refers to the offset of the event in the job
- @namespace - Refers to the namespace from which the job was dispatched
- @latest_time - Refers to the latest time the event occurred. It is used to distinguish similar events from one another. It is not always available for all fields.
Example - Create a workflow action that applies to all fields in an event
You can update the Google search example discussed above (in the GET link workflow action section) so that it enables a search of the field name and field value for every field in an event to which it applies. All you need to do is change the title to Google this field and value
and replace the URI of that action with http://www.google.com/search?q=$@field_name$+$@field_value$.
This results in a workflow action that searches on whichever field/value combination you're viewing a field menu for. If you're looking at the field menu for sourcetype=access_combined
and select the Google this field and value field action, the resulting Google search is sourcetype accesscombined.
Remember: Workflow actions using the @field_name and/or @field_value parameters are not compatible with event-level menus.
Example - Show the source of an event
This workflow action uses the other special parameters to show the source of an event in your raw search data.
The Action type is link and its Link method is get. Its Title is Show source. The URI is /app/$@namespace$/show_source?sid=$@sid$&offset=$@offset$&latest_time=$@latest_time$
. It's only applied to events that have the _cd
field.
Try setting this workflow action up in your app (if it isn't installed already) and see how it works.
Control workflow action appearance in field and event menus | About tags and aliases |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!