Dashboards & Visualizations

How do I use a Parent ConvertToIntention parameter in the child?

mmaddo
Explorer

I have a view with a SearchSelectLister which contains the top ten event codes seen over the past three months. Users can select an event code from the list and then see which firmware levels are generating the selected event code in a time chart over the past three months.

I would like the user to be able to click on a marker in the time chart and view the the details for the firmware level and event code. Everything is working except I can't get the event code selected in the SearchSelectLister to show up in the search criteria. Any thoughts how I can get a ConvertToIntention paramger from the parent object to show up in the detail?

I'm running Splunk 4.1.

prod="YYYY" startmonthsago=3 | timechart span=7d count(firmware) by firmware useother=f usenull=f where sum in top5

<module name="SearchSelectLister">
  <param name="settingToCreate">series_setting</param>
  <param name="search">startmonthsago=3 prod="YYYY" | top event_code limit=10</param>
  <param name="label">Event</param>
  <param name="searchWhenChanged">True</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">event_code</param>
      <param name="value">event_code</param>
    </list>
  </param>
  <module name="ConvertToIntention">
    <param name="settingToConvert">series_setting</param>
    <param name="intention">
      <param name="name">addterm</param>
      <param name="arg">
        <param name="event_code">$target$</param>
      </param>
    </param>
    <module name="SubmitButton">
      <param name="label">Show Chart</param>
       <module name="HiddenChartFormatter">
    <param name="chart">line</param>
    <param name="primaryAxisTitle.text">Week</param>
    <param name="secondaryAxisTitle.text"></param>
    <param name="charting.legend.labelStyle.maximumWidth">500</param>
    <param name="legend.placement">right</param>
    <param name="chartTitle">Top Firmware Levels - Weekly</param>

    <module name="JobProgressIndicator"/>
    <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>

        <module name="HiddenSearch">
            <param name="search">startmonthsago=3 prod="YYYY"</param>
            <module name="ConvertToIntention">
                <param name="preserveParentIntentions">true</param>
                <param name="intention">
                <param name="name">addterm</param>
                <param name="arg">
                    <param name="firmware">$click.name2$</param>
                </param>
                <module name="ViewRedirector">
                    <param name="viewTarget">flashtimeline</param>
                </module>
            </module>
        </module> <!-- Second Hidden Search   -->
    </module> <!--  Flash Chart  -->
   </module> <!--  Hiddn Chart Formatter  -->
    </module>  <!--  Submit Button  -->
  </module> <!--  First Convert to Intention  -->
</module> <!--  Search Select Lister  -->

1 Solution

sideview
SplunkTrust
SplunkTrust

Common problem - all you need to do is reconvert the first intention.

All intentions will get consumed when the search they're building gets dispatched. Meaning that those intentions wont exist at or below that point in the hierarchy.

Put another way the dispatching of the search that renders into that FlashChart, results in all modules below that point having a clean slate with respect to intentions.

However the abstract key, in this case 'series_setting', does not get consumed. So just put another copy of that first ConvertToIntention module underneath the FlashChart, and that will generate a second copy of the same intention, which will then get applied to the drilldown search.

as an aside, I also recommend taking the 'startmonthsago=3' out of the search string, and instead put that in the 'earliest' param of HiddenSearch and use the newer relative term syntax, ie

<param name="earliest">-3mon</param>

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Common problem - all you need to do is reconvert the first intention.

All intentions will get consumed when the search they're building gets dispatched. Meaning that those intentions wont exist at or below that point in the hierarchy.

Put another way the dispatching of the search that renders into that FlashChart, results in all modules below that point having a clean slate with respect to intentions.

However the abstract key, in this case 'series_setting', does not get consumed. So just put another copy of that first ConvertToIntention module underneath the FlashChart, and that will generate a second copy of the same intention, which will then get applied to the drilldown search.

as an aside, I also recommend taking the 'startmonthsago=3' out of the search string, and instead put that in the 'earliest' param of HiddenSearch and use the newer relative term syntax, ie

<param name="earliest">-3mon</param>
0 Karma

mmaddo
Explorer

Thanks Nick. You're suggesting worked perfectly.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...