Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PARSER error on drilldown when using table

bojanz
Communicator
‎08-26-2010 01:40 PM

I have a simple table in a dashboard built like this:

    <table>
            <title>Test</title>
            <searchString>source="wineventlog:security" EventCode="528" Logon_Type="10" startdaysago=14 | table _time User_Name Source_Network_Address Workstation_Name | rename _time as Time User_Name as "User Name" Source_Network_Address as "Source IP Address" Workstation_Name as "RDP Server" | convert ctime(Time)</searchString>
            <option name="count">25</option>
            <option name="displayRowNumbers">true</option>
            <option name="showPager">true</option>
    </table>

Now, the table renders without any problems, however, when I click on any element in the table I get the following error:

Encountered an unexpected error while parsing intentions. PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'convert' command

Any idea why this is happening? Even if I remove the convert() option and cut down the search, I still get the same error.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 04:35 AM

The drilldown is expecting a timechart or chart or stats command to generate the data. Without it, it is unable to determine the original data and to drill back to. This is probably a bug or enhancement request to Splunk to get the UI to accept table as a reporting command.

You can solve this either by creating a custom drilldown search (which requires going to Advanced XML), or you can rewrite your table command using stats:

... | stats count by _time User_Name Source_Network_Address Workstation_Name
    | fields - count
    | ...

This will eliminate duplicate rows. If you have them and want to keep them, you could do: 

... | stats count by _time User_Name Source_Network_Address Workstation_Name _serial
    | fields - count _serial
    | ...

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 04:35 AM

The drilldown is expecting a timechart or chart or stats command to generate the data. Without it, it is unable to determine the original data and to drill back to. This is probably a bug or enhancement request to Splunk to get the UI to accept table as a reporting command.

You can solve this either by creating a custom drilldown search (which requires going to Advanced XML), or you can rewrite your table command using stats:

... | stats count by _time User_Name Source_Network_Address Workstation_Name
    | fields - count
    | ...

This will eliminate duplicate rows. If you have them and want to keep them, you could do: 

... | stats count by _time User_Name Source_Network_Address Workstation_Name _serial
    | fields - count _serial
    | ...
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...