I am trying to append the click value to the drill down search, it is appending the value first search clause. but i want it to append to the sub search, is there any way to append the click value to the sub search. Below is the code i am using
<?xml version="1.0" encoding="UTF-8"?>
<!-- COMMON CONTROLS END -->
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chart.nullValueMode">zero</param>
<param name="charting.legend.placement">none</param>
<param name="secondaryAxisTitle.text">Response Time</param>
<module name="FlashChart">
<!-- <module name="ConvertToDrilldownSearch">
<module name="SimpleResultsTable">
</module> -->
<!-- swap out the search to be a timechart. -->
<module name="HiddenSearch">
<param name="search">
index=test source=/tmp/* |
rex "JSESSIONID.*\s(?<response_time> [\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For |
where X_Forwarded_For_country_name=$click.value$ |
stats avg(response) AS responsetime by X_Forwarded_For_city |
where responsetime > 0
</param>
<param name="earliest">-3d</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="X_Forwarded_For_country_name">$click.value$</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<!-- <param name="flags"><list>indexed</list></param> -->
</param>
<!-- finally, render the search in another FlashChart, -->
<!-- and add a JobProgressIndicator for good measure. -->
<module name="JobProgressIndicator"></module>
<!-- Use a header to tell the user what they clicked on. -->
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">
Response_time for cities in $click.value$
</param>
</module> <!-- End SimpleResultsHeader-->
<module name="HiddenChartFormatter">
<param name="chart">table</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">events per second</param>
<param name="legend.placement">none</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
</module> <!-- End FlashChart-->
</module> <!-- End HiddenChartFormatter -->
</module> <!-- End convert to Intention -->
</module> <!-- End HiddenSearch -->
</module> <!-- End FlashChart-->
</module> <!-- End HiddenChartFormatter -->
<!-- End HiddenSearch -->
You're using Sideview Utils, but then you're still using pieces of the old core stuff that Sideview Utils makes obsolete, like intentions.
Here is a cleaned up version of the view, converted to replace your HiddenSearch+ConvertToIntention combination with just a Sideview Search module.
This way you don't need intentions, so you don't need to figure out what was wrong with the intentions you were using (btw you needed a stringreplace intention here not an addterm but it doesn't matter. It's way easier just to be consistent and use Sideview Utils techniques since you're already using Sideview stuff elsewhere in the view)
<view template="dashboard.html">
<label>API Performance</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="appHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter"></param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autorun="True">
<module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/ | rex "JSESSIONID.*s(?<response_time>[d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""|
stats avg(response) AS responsetime by X_Forwarded_For_country_name|
where responsetime > 500 |
sort -responsetime
]]></param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chart.nullValueMode">zero</param>
<param name="charting.legend.placement">none</param>
<param name="secondaryAxisTitle.text">Response Time</param>
<module name="FlashChart">
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/* |
rex "JSESSIONID.*\s(?<response_time> [\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For |
where X_Forwarded_For_country_name=$click.value$ |
stats avg(response) AS responsetime by X_Forwarded_For_city |
where responsetime > 0
]]></param>
<param name="earliest">-3d</param>
<module name="JobProgressIndicator"></module>
<module name="HTML">
<param name="html"><![CDATA[
<h3>Response_time for cities in $click.value$</h3>
]]></param>
</module>
<module name="HiddenChartFormatter">
<param name="chart">table</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">events per second</param>
<param name="legend.placement">none</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
What I did specifically -
And for a fair apples-to-apples comparison, here's what the view looks like, cleaned up but not converted (so don't use this XML because it has the same problem you asked me to solve =).
<view autocancelinterval="90" isvisible="true" onunloadcanceljobs="true" template="dashboard.html">
<label>API Performance</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="appHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter"></param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autorun="True">
<module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/ | rex "JSESSIONID.*s(?<response_time>[d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""|
stats avg(response) AS responsetime by X_Forwarded_For_country_name|
where responsetime > 500 |
sort -responsetime
]]></param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chart.nullValueMode">zero</param>
<param name="charting.legend.placement">none</param>
<param name="secondaryAxisTitle.text">Response Time</param>
<module name="FlashChart">
<module name="HiddenSearch">
<param name="search">
index=test source=/tmp/* |
rex "JSESSIONID.*\s(?<response_time> [\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For |
where X_Forwarded_For_country_name=$click.value$ |
stats avg(response) AS responsetime by X_Forwarded_For_city |
where responsetime > 0
</param>
<param name="earliest">-3d</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="X_Forwarded_For_country_name">$click.value$</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">
Response_time for cities in $click.value$
</param>
</module>
<module name="HiddenChartFormatter">
<param name="chart">table</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">events per second</param>
<param name="legend.placement">none</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
You're using Sideview Utils, but then you're still using pieces of the old core stuff that Sideview Utils makes obsolete, like intentions.
Here is a cleaned up version of the view, converted to replace your HiddenSearch+ConvertToIntention combination with just a Sideview Search module.
This way you don't need intentions, so you don't need to figure out what was wrong with the intentions you were using (btw you needed a stringreplace intention here not an addterm but it doesn't matter. It's way easier just to be consistent and use Sideview Utils techniques since you're already using Sideview stuff elsewhere in the view)
<view template="dashboard.html">
<label>API Performance</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="appHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter"></param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autorun="True">
<module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/ | rex "JSESSIONID.*s(?<response_time>[d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""|
stats avg(response) AS responsetime by X_Forwarded_For_country_name|
where responsetime > 500 |
sort -responsetime
]]></param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chart.nullValueMode">zero</param>
<param name="charting.legend.placement">none</param>
<param name="secondaryAxisTitle.text">Response Time</param>
<module name="FlashChart">
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/* |
rex "JSESSIONID.*\s(?<response_time> [\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For |
where X_Forwarded_For_country_name=$click.value$ |
stats avg(response) AS responsetime by X_Forwarded_For_city |
where responsetime > 0
]]></param>
<param name="earliest">-3d</param>
<module name="JobProgressIndicator"></module>
<module name="HTML">
<param name="html"><![CDATA[
<h3>Response_time for cities in $click.value$</h3>
]]></param>
</module>
<module name="HiddenChartFormatter">
<param name="chart">table</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">events per second</param>
<param name="legend.placement">none</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
What I did specifically -
And for a fair apples-to-apples comparison, here's what the view looks like, cleaned up but not converted (so don't use this XML because it has the same problem you asked me to solve =).
<view autocancelinterval="90" isvisible="true" onunloadcanceljobs="true" template="dashboard.html">
<label>API Performance</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="appHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter"></param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autorun="True">
<module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="Search">
<param name="search"><![CDATA[
index=test source=/tmp/ | rex "JSESSIONID.*s(?<response_time>[d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""|
stats avg(response) AS responsetime by X_Forwarded_For_country_name|
where responsetime > 500 |
sort -responsetime
]]></param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chart.nullValueMode">zero</param>
<param name="charting.legend.placement">none</param>
<param name="secondaryAxisTitle.text">Response Time</param>
<module name="FlashChart">
<module name="HiddenSearch">
<param name="search">
index=test source=/tmp/* |
rex "JSESSIONID.*\s(?<response_time> [\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |
geoip X_Forwarded_For |
where X_Forwarded_For_country_name=$click.value$ |
stats avg(response) AS responsetime by X_Forwarded_For_city |
where responsetime > 0
</param>
<param name="earliest">-3d</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="X_Forwarded_For_country_name">$click.value$</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">
Response_time for cities in $click.value$
</param>
</module>
<module name="HiddenChartFormatter">
<param name="chart">table</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">events per second</param>
<param name="legend.placement">none</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
thanks sideview
Thanks sideview, its working... thanks for pointing the issues in my code and also laying out the differences.. I will use the sideview utils instead of the intentions... sideview unitls makes life easier.