Solved: Re: Populating Search bar from Sideview utils crea...

stephenho · ‎02-17-2013

Hi All,

I'm having some trouble trying to populate a search bar with details from a chart. I've looked at

http://splunk-base.splunk.com/answers/63886/i-just-need-to-see-a-simple-example-of-using-clickvalue-...

However, when I use the click.searchTerms parameter it doesnt' seem to work. My page does appear but the search field is not populated.

Here's an excerpt of my code

<param name="html">Login Details</param>
<module name="Search">
   <param name="search">host=example *example2* $ABC$ |rex field=_raw "Auth: (?<authentication>[^\(|\:]*)"|rex mode=sed field=authentication "s/\s*$$//g" | timechart count(authentication) by authentication |fields - NULL</param>
   <module name="JobProgressIndicator">
      <module name="HiddenChartFormatter">
         <param name="primaryAxisTitle.text">Time</param>
         <param name="chart">column</param>
         <param name="charting.layout.splitSeries">True</param>
         <param name="chartTitle">Login Details</param>
         <module name="FlashChart">
            <param name="height">400px</param>
            <module name="Redirector">
               <param name="url">flashtimeline</param>
               <param name="popup">True</param>
               <param name="arg.q">search $click.searchTerms$</param>
            </module>
         </module>
      </module>
   </module>
</module>

Can anyone offer any advice?

Thanks,

Steve

sideview · ‎02-18-2013

The problem is that your search has a little bit of extra search language after the timechart command, and when Sideview Utils sees that the last command isn't a straight-up reporting command, it no longer trusts its ability to figure out what the correct searchterms would be for the drilldown click.

If you picture an eval command there actually monkeying with the values you can see how problematic that would be. And even the fields command could disrupt things by reordering fields.

In this case since you can have the same effect as | fields - NULL in the timechart command itself, the fix here is easy -- remove that fields clause on the end and instead have this be your timechart clause -

timechart usenull=f count by authentication

I also took the liberty of replacing count(authentication) with simply count, because the two are equivalent in this case.

Should be good to go. Good question. 😃

View solution in original post

sideview · ‎02-18-2013

The problem is that your search has a little bit of extra search language after the timechart command, and when Sideview Utils sees that the last command isn't a straight-up reporting command, it no longer trusts its ability to figure out what the correct searchterms would be for the drilldown click.

If you picture an eval command there actually monkeying with the values you can see how problematic that would be. And even the fields command could disrupt things by reordering fields.

In this case since you can have the same effect as | fields - NULL in the timechart command itself, the fix here is easy -- remove that fields clause on the end and instead have this be your timechart clause -

timechart usenull=f count by authentication

I also took the liberty of replacing count(authentication) with simply count, because the two are equivalent in this case.

Should be good to go. Good question. 😃

sideview · ‎02-18-2013

Also note that because of the < and > chars in your rex, you'll have to either manually escape that search string, or wrap it in a CDATA block. I suspect you already know this because the same problem would have prevented your main search from working in the XML.

sideview · ‎02-18-2013

That's right, $click.searchTerms$ will be just the searchterms that will implement that one drilldown click. It doesn't roll up the whole search for you. So you should do host=example *example2* $ABC$ |rex field=_raw "Auth: (?<authentication>[^\(|\:]*)"|rex mode=sed field=authentication "s/\s*$$//g" | search $click.searchTerms$

NOTE that haven't wired up the timerange yet. Add <param name="arg.earliest">$search.timeRange.earliest$</param> and <param name="arg.latest">$search.timeRange.latest$</param> to Redirector. That way you'll pass the search and also the timerange.

stephenho · ‎02-18-2013

Thanks SV. I actually am getting values now, but am i only expecting the value from the chart? As opposed to getting the entire search string + the value on the chart, all I get is the value of what I clicked on. I can easily sort that out by prepending the redirector with the full search, but is there a better way to do it?

sideview · ‎02-18-2013

Your config looks fine so I think what's happening is that you just have an older version of Sideview Utils.

Possibly you only have the latest on Splunkbase, but that's the 1.3.5 version. The $click.searchTerms$ key wasn't added until 2.0.8 and the latest on the Sideview site is 2.4.

Anyway, let me know your version and if this isn't the cause then I'll update my answer and take another crack. 😃

sideview · ‎02-18-2013

Interesting! No, 2.3 should be new enough. Let me take a look and see if I can think of something else. Strange. I'll post back shortly.

stephenho · ‎02-18-2013

Hey There, thanks for the prompt reply. According to splunk i'm using Sideview Version 2.3. Do I need to find someone to upgrade the version to 2.4?

Cheers,

Steve

sideview · ‎02-18-2013

OK. I can help. What version of Sideview Utils do you have? My guess is that you just have an older version. Latest from Sideview website is 2.4, whereas what's on Splunkbase is an ancient 1.3.5 version. The searchTerms feature wasn't added until 2.0.8

Populating Search bar from Sideview utils created chart

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk