Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect and ConvertToIntention Problem

vrmerlin
New Member
‎04-29-2013 01:26 PM

I’m attempting to make an Advanced XML dashboard that drills down from one chart to another chart. I’ve used a UI Example to get me started.

The first search chart comes up fine. Unfortunately, I can’t get the drilldown search to display any results. I think the nature of my query is causing problems with the ConvertToIntention module. The unusual element in my two searches (top and drilldown) is that it’s a dbquery (i.e. DB Connect).

My first HiddenSearch query contains:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "Fix Version"

This creates a column chart exactly as I want. When the user clicks on a column, it passes the Fix Version to a drilldown search which is in the XML as:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE"

(“[STUFF]” is the same in each search).

When I try that search alone in a search window it seems to behave fine (except that it’s for all Fix Versions). But, when I inspect the drilldown search, Splunk reports it’s trying to do this:

  None | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE" | search "Fix Version"="13.3.0"

And, what I believe I need is this (which in a search window does just what I want):

  | dbquery JIRA limit=1000 "select [STUFF]" | search "Fix Version"="13.3.0" | chart count("pkey") by "ASSIGNEE"

So, the added search term seems to showing up in the wrong place. How can I fix that?

Thanks,
John

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-29-2013 07:16 PM

It sounds like you're using an 'addterm' intention, when here you need a 'stringreplace' intention.

the 'addterm' intention had that behavior where it will ultimately take the argument and try to add it as a simple searchterm in a search clause. And if there is a reporting command involved, addterm will happily tack on a whole other search clause just like that.

the 'stringreplace' intention on the other hand, while a lot harder to work with, is for substituting the given argument into a $foo$ token in the search as specified by a HiddenSearch module.

Incidentally you might want to look at Sideview Utils. It brings in a lot of practical improvements, a lot of which make drilldowns easier to set up and maintain. The most important being that you don't have to use or think about intentions at all anymore - with Sideview Utils you can just plug your arguments right into the $foo$ tokens and skip the messy middle part of fighting with the intention system.

http://sideviewapps.com/apps/sideview-utils

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...