Splunk Search

What is an intention?

the_wolverine
Champion

In Splunk, what is an intention? The Splexicon somewhat describes it .. but not really:

http://www.splunk.com/base/Splexicon:Intention

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

Right now that description could use some improvement. I'll send an email and over the short term this question, answer and that page will likely evolve a bit.

Intentions are an abstraction layer that allows the UI to make a common subset of search-language modifications to any given search string, without having to have any language-parsing code on the client.

Modules can contribute to the user's eventual search in a number of ways:

  1. modules can change out the underlying 'base search' string (SearchBar, HiddenSearch, HiddenSavedSearch do this),
  2. they can add or modify or clear the intentions that live on top of that 'base search' (SearchSelectLister, basically all 'form search' modules do this),
  3. they can add or modify time ranges (TimeRangePicker as well as HiddenSearch, HiddenSavedSearch),

that's about it as far as altering the search that eventually gets run.

To give some specific examples of intentions:

a) an 'addterm' intention can be used to safely add either "foo" or foo="bar" to the search, and it can also specify whether the term should be added to the first search clause, or added at the end after any renames/rex clauses etc..

b) a 'toggleterm' intention is rarely useful to third party developers but very central to the splunk UI - it is much like addterm except that if it finds the corresponding search language piece is already there it will remove it instead of adding it.

c) the 'plot' intention can do common permutations of top/rare/timechart and is what power's report builder's 'basic' mode.

d) the 'stringreplace' intention allows you to turn a selected element from the UI into a specific string in a specific place in the underlying search string. This intention breaks the normal intention model in that 1) it requires special matching syntax to be present in the underlying search string (ie $foo$), 2) its thus impossible to run the operation in reverse, ie to 'decompose' a search string into a smaller base search plus some 'stringreplace' intentions. In short although the concept behind stringreplace is a lot more familiar and simpler, the configuration for it is quite complicated and its best to use it as an advanced tool when 'addterm' cant be used. Examples of this would be when you need to replace tokens in a subsearch, or replace tokens in another command like transaction.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Right now that description could use some improvement. I'll send an email and over the short term this question, answer and that page will likely evolve a bit.

Intentions are an abstraction layer that allows the UI to make a common subset of search-language modifications to any given search string, without having to have any language-parsing code on the client.

Modules can contribute to the user's eventual search in a number of ways:

  1. modules can change out the underlying 'base search' string (SearchBar, HiddenSearch, HiddenSavedSearch do this),
  2. they can add or modify or clear the intentions that live on top of that 'base search' (SearchSelectLister, basically all 'form search' modules do this),
  3. they can add or modify time ranges (TimeRangePicker as well as HiddenSearch, HiddenSavedSearch),

that's about it as far as altering the search that eventually gets run.

To give some specific examples of intentions:

a) an 'addterm' intention can be used to safely add either "foo" or foo="bar" to the search, and it can also specify whether the term should be added to the first search clause, or added at the end after any renames/rex clauses etc..

b) a 'toggleterm' intention is rarely useful to third party developers but very central to the splunk UI - it is much like addterm except that if it finds the corresponding search language piece is already there it will remove it instead of adding it.

c) the 'plot' intention can do common permutations of top/rare/timechart and is what power's report builder's 'basic' mode.

d) the 'stringreplace' intention allows you to turn a selected element from the UI into a specific string in a specific place in the underlying search string. This intention breaks the normal intention model in that 1) it requires special matching syntax to be present in the underlying search string (ie $foo$), 2) its thus impossible to run the operation in reverse, ie to 'decompose' a search string into a smaller base search plus some 'stringreplace' intentions. In short although the concept behind stringreplace is a lot more familiar and simpler, the configuration for it is quite complicated and its best to use it as an advanced tool when 'addterm' cant be used. Examples of this would be when you need to replace tokens in a subsearch, or replace tokens in another command like transaction.

sideview
SplunkTrust
SplunkTrust

thanks for pointing that out Lowell. Added some comments.

0 Karma

Lowell
Super Champion

What about stringreplace intention? Could you add that to your list as as make a few comments on that as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...