Dashboards & Visualizations

HiddenPost Process appended to ConvertToDrillDown Search (sometimes)

SarahWKarvenz
Path Finder

I have two dashboards, both which use the HiddenSearch module and then perform a HiddenPostProcess to create separate charts. When I add in the ConvertToDrillDown module on one of the pages, it appends my HiddenPostProcess code to the drill down search. This is regardless of if I use a new HiddenSearch or sideview utils Search or the generic drill down (which I don't want as the main search is on summary data and I want to drill into raw data).

On the other page, the drill down works as expected and does not add the HiddenPostProcess to the HiddenSearch.

Page 1 code for the page that does not append the post process chart information and works correctly:

                      <module name="HiddenSearch">
                    <param name="search">
                    index=errvol_summary_fivemin report="1min_Counts" NOT CATEGORY="----" orig_host=$HOST$ JVM=$JVM$  APP=$APP$ LOG_PLATFORM=$LOG_PLATFORM$ DATACENTER=$DATACENTER$ CATEGORY=$CATEGORY$
                    PIPELINE=$PIPELINE$ | stats sum(count) AS count by APP DATACENTER JVM CATEGORY LOG_PLATFORM orig_host PIPELINE | eval host=orig_host</param>
                    <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
                      <param name="searchWhenChanged">True</param>
                      <param name="selected">Last 15 Minutes</param>
                      <module name="SubmitButton">
                        <param name="allowSoftSubmit">True</param>
                        <param name="label">Submit</param>
                        <module name="JobStatusMin">
                          <param name="showCreateMenu">False</param>
                          <param name="showSaveMenu">False</param>
                          <param name="showJobInspector">False</param>
                          <param name="showPrintButton">False</param>
                          <param name="statusType">progress</param>
                          <param name="resultsLink">
                            <param name="popup">True</param>
                            <param name="viewTarget">report_builder_define_data</param>
                            <param name="transformedResultsViewTarget">report_builder_format_report</param>
                          </param>
                          <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Log Summary By Category" autoRun="True">
                            <param name="search">chart sum(count) over CATEGORY</param>
                            <param name="groupLabel">Log Summary By Category</param>
                            <module name="HiddenChartFormatter">
                              <param name="charting.chart">pie</param>
                              <param name="charting.chart.sliceCollapsingThreshold">0</param>
                              <module name="JSChart">
                                <param name="width">100%</param>
                                <module name="Gimp" />
                                <module name="ConvertToIntention">
                                  <param name="settingToConvert">
                                  platform_setting</param>
                                  <param name="intention">
                                    <param name="name">
                                    stringreplace</param>
                                    <param name="arg">
                                      <param name="LOG_PLATFORM">
                                        <param name="value">
                                        $target$</param>
                                      </param>
                                    </param>
                                  </param>
                                  <module name="ConvertToIntention">
                                    <param name="settingToConvert">
                                    app_setting</param>
                                    <param name="intention">
                                      <param name="name">
                                      stringreplace</param>
                                      <param name="arg">
                                        <param name="APP">
                                          <param name="value">
                                          $target$</param>
                                        </param>
                                      </param>
                                    </param>
                                    <module name="ConvertToIntention">
                                      <param name="settingToConvert">
                                      cat_setting</param>
                                      <param name="intention">
                                        <param name="name">
                                        stringreplace</param>
                                        <param name="arg">
                                          <param name="CATEGORY">
                                            <param name="value">
                                            $target$</param>
                                          </param>
                                        </param>
                                      </param>
                                      <module name="ConvertToIntention">
                                        <param name="settingToConvert">
                                        loc_setting</param>
                                        <param name="intention">
                                          <param name="name">
                                          stringreplace</param>
                                          <param name="arg">
                                            <param name="DATACENTER">
                                              <param name="value">
                                              $target$</param>
                                            </param>
                                          </param>
                                        </param>
                                        <module name="ConvertToIntention">
                                          <param name="settingToConvert">
                                          pipe_setting</param>
                                          <param name="intention">
                                            <param name="name">
                                            stringreplace</param>
                                            <param name="arg">
                                              <param name="PIPELINE">
                                                <param name="value">
                                                $target$</param>
                                              </param>
                                            </param>
                                          </param>
                                          <module name="HiddenSearch">
                                            <param name="search">
                                            `errVolIndex`
                                            sourcetype=ecomm_app_error*
                                            | eval CATEGORY=coalesce(ERR_TYPE_FULL, LOG_CATEGORY_FULL, LOG_TYPE) 
                                            | fillnull value="----" LOG_PLATFORM APP LOG_CATEGORY DATACENTER CATEGORY PIPELINE 
                                            | search APP=$APP$ LOG_PLATFORM=$LOG_PLATFORM$ DATACENTER=$DATACENTER$ PIPELINE=$PIPELINE$ </param>
                                            <module name="ConvertToDrilldownSearch">
                                              <module name="ViewRedirector">
                                                <param name="viewTarget">flashtimeline</param>
                                              </module>
                                            </module>
                                            <!-- End ConvertToDrilldownSearch -->
                                          </module>
                                          <!-- End HiddenSearch -->
                                        </module>
                                      </module>
                                    </module>
                                  </module>
                                </module>
                              </module>
                            </module>
                          </module>

Page 2 code for page that appends the HiddenPostProcess to the drill down search:

                 <module name="HiddenSearch">
                <param name="search">index=errvol_summary_fivemin report="1min_Counts" orig_host="$HOST$" JVM="$JVM$" 
                  APP=$APP$ LOG_PLATFORM=$LOG_PLATFORM$ DATACENTER=$DATACENTER$ CATEGORY=$CATEGORY$ PIPELINE=$PIPELINE$ NOT CATEGORY="----"
                  | eval host=orig_host | stats sum(count) AS count by APP DATACENTER JVM CATEGORY LOG_PLATFORM host 
                </param>
                <module name="TimeRangePicker" layoutPanel="mainSearchControls">
                  <param name="searchWhenChanged">True</param>
                  <param name="selected">Last 15 Minutes</param>
                  <module name="SubmitButton">
                    <param name="allowSoftSubmit">True</param>
                    <param name="label">Submit</param>

                    <module name="JobStatusMin">
                      <param name="showJobInspector">False</param>
                      <param name="showPrintButton">False</param>
                      <param name="statusType">progress</param>
                      <param name="showCreateMenu">False</param>
                      <param name="showSaveMenu">False</param>
                      <param name="resultsLink">
                        <param name="popup">True</param>
                        <param name="viewTarget">report_builder_define_data</param>
                        <param name="transformedResultsViewTarget">report_builder_format_report</param>
                      </param>
                      <module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="Errors By Host" autoRun="True">
                        <param name="groupLabel">Errors by Host</param>
                        <param name="search">chart sum(count) AS sum over host by CATEGORY | fields - JVM | table host *</param>

                        <module name="SimpleResultsTable" layoutPanel="panel_row1_col1">
                          <param name="count">10</param>
                          <param name="displayRowNumbers">False</param>
                          <param name="drilldown">row</param>
                          <module name="HiddenSearch">
                                            <param name="search">
                                            `errVolIndex`
                                            sourcetype=ecomm_app_error*
                                            | eval CATEGORY=coalesce(ERR_TYPE_FULL, LOG_CATEGORY_FULL, LOG_TYPE) 
                                            | fillnull value="----" LOG_PLATFORM APP LOG_CATEGORY DATACENTER CATEGORY PIPELINE  </param>
                          <module name="ConvertToDrilldownSearch">
                            <module name="ViewRedirector">
                              <param name="viewTarget">flashtimeline</param>
                            </module> <!-- ViewRedirector -->
                          </module> <!-- ConvertToDrilldownSearch -->
                          </module> <!-- HiddenSearch -->
                        </module> <!-- SimpleResultsTable -->


                      </module> <!-- HiddenPostProcess -->
Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

Well, my recommendation is to move a bit more in the Sideview Utils direction and use the Sideview Redirector module in place of the Splunk modules ConvertToDrilldownSearch and ViewRedirector.

Here's a simple example using the Sideview Table module. Note that you can also use the Splunk modules SimpleResultsTable, JSChart or FlashChart. If you need to use FlashChart or JSChart though make sure you're using a relatively recent copy of Sideview Utils (older versions didn't provide key patches to JSChart and will be missing some other fixes).

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" | stats avg(eps) by series | sort - avg(eps)</param>
  <param name="earliest">-12h</param>

  <module name="Pager">

    <module name="Table">

      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search index=_internal source="*metrics.log" group="per_sourcetype_thruput" $click.searchTerms$</param>
        <param name="arg.earliest">$search.timeRange.earliest$</param>
        <param name="arg.latest">$search.timeRange.latest$</param>
      </module>

    </module>
  </module>
</module>

As you can see Redirector is a little flatter and dumber. You're literally specifying the individual querystring arguments and telling it what URL to go to, as opposed to using ConvertToDrilldownSearch and ViewRedirector where there's more magic going on, (some of which involves intentions).

There are other ways you can use Redirector, and there's some advanced functionality around its "generalSearchTermField" and "autoDrilldown" field, but these are only for when you're letting the user type in any splunk search and therefore the system has to figure out whether it's a drilldown on a timechart, or a stats, or top, or plain-events... Don't worry about those two params unless you start doing that sort of really advanced stuff.

0 Karma

SarahBOA
Path Finder

Yes, we could definitely use that! Then we could also send the user to a different view and not the flashtimeline, correct?

0 Karma

sideview
SplunkTrust
SplunkTrust

Are you OK with using the Sideview Redirector module instead of BOTH ConvertToDrilldownSearch and ViewRedirector? because that's the best practice if you're already using Utils. I can add an answer showing how.

0 Karma

jonuwz
Influencer

This goes against my understanding of things ... but

The Gimp module clobbers intentions, and in the 1st dashboard, you have a gimp upstream of the 2nd HiddenSearch.

I wouldn't have thought that Gimp would clobber the HiddenPostProcess, but it might do

So ..

try putting <module name="Gimp"/> before the 2nd HiddenSearch module

If that doesn't work, add a another HiddenPostProcess within the 2nd HiddenSearch with

<param name="search"> </param>

This'll definately clobber your 1st PostProcess

0 Karma

SarahBOA
Path Finder

Interesting....so that is why I had to create the intentions again....will test out the adding of gimp and adding a second PostProcess.

0 Karma

SarahBOA
Path Finder

I have switched both pages to SideViewUtils (replaced all of the ConvertToIntention modules) and am still experiencing this issue. I believe the difference to be that the postProcess is appended to the ConvertToDrillDown inside of the SimpleResultsTable, but not inside of the JSChart.

0 Karma

SarahWKarvenz
Path Finder

The search that appears for the page that does not work correctly:

([macroinserted]) sourcetype=ecomm_app_error* | eval CATEGORY=coalesce(ERR_TYPE_FULL, LOG_CATEGORY_FULL, LOG_TYPE) | fillnull value="----" LOG_PLATFORM APP LOG_CATEGORY DATACENTER CATEGORY PIPELINE | chart sum(count) AS sum over host by CATEGORY | fields - JVM | search host="[correctHostofRowIChose]"

0 Karma

SarahWKarvenz
Path Finder

The search that appears for the page that is working correctly:

([macroinserted]) sourcetype=ecomm_app_error* | eval CATEGORY=coalesce(ERR_TYPE_FULL, LOG_CATEGORY_FULL, LOG_TYPE) | fillnull value="----" LOG_PLATFORM APP LOG_CATEGORY DATACENTER CATEGORY PIPELINE | search APP=* LOG_PLATFORM=* DATACENTER=* PIPELINE=* CATEGORY="CRITICAL"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...