Forum Discussion
Workbook link to run query
Is it possible to run a query on a specific field from a workbook? For example, a workbook query shows SrcIP, DstIP, DstPort and there is a specific DstPort that I want to run a query on. In Splunk...
Thanks for the replies but not sure they answer what I'm looking for. In the Workbook is the grid showing various fields of a log. Src/Dst/Port/etc. I'm looking to see if possible to click on a selected field and the have a new query run in the Logs section of Sentinel? For example I have 3 logs showing the same src & dst but with 3 different ports (22, 80, 443), what I want to do is click on the 22 and open a new search in the Logs view that starts a search for port = 22. That way I can see what other logs may have used port 22 beyond what the workbook query is showing.
In that case, what Clive wrote will work. If you know it will only be those 3 ports for example, you can add them to a parameter list and then when a user selects one of those, the query will be run with the selected value. Again, the URL that Clive listed will be the best place to start.
What you cant do, is select a value within a column (so is Port column has 22,80,443, you should add a filter parameter above the grid, where you build the port list dynamically, you can then select that the port from the parameter and show the matching rows. My Public IP workbook does this for ports, using the option group control: https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/PublicIP/PublicIP%20v0.2.3release.workbook
In the Network tab, the grid (below left) will adjust depending in the port you select from the [option group]
