Dashboards & Visualizations

hiddenintention with addterm and text box

herterich
Explorer

Hi,

I want to customize the default search view (the flashtimeline view) and insert a text fields which will be used for a hiddenintention to allow my users to optionaly specify host in the textfield. I used the module textsetting to insert the addterm. This works fine but there is no way to define default value which will be used if the user does not insert a host or source type in the textbox. I also tried to use ExtendedFieldSearch module where a defaut value could be defined but as far as I understand this module it only passes the value of the text filed to the addterm - but I need to pass a prefix to (for example: textfield contains "host1" but host="host1" should be added as addterm).

Does anyone have an idea how to insert a default value in the TextSetting module or how to add a prefix to the addterm in the ExtendedSearchField module.

I attached both parts of my xml file: xml for the HiddenIntention with TextSetting:

<module name="HiddenIntention">
<param name="intention">
    <param name="name">addterm</param>
    <param name="arg">
    <param name="index=>myindex</param>
    </param>
    </param>
    <module name="TextSetting">
    <param name="elementName">host_elem</param>
    <param name="settingName">host_value</param>
    <param name="label">Application Server</param>
<module name="ConvertToIntention">
    <param name="settingToConvert">host_value</param>
    <param name="intention">
    <param name="name">addterm</param>
    <param name="arg">
    <param name="host">$target$</param>
    </param>
    </param>

And now the one with ExtendedFieldSearch

<module name="HiddenIntention">
<param name="intention">
    <param name="name">addterm</param>
    <param name="arg">
    <param name="index=>myindex</param>
    </param>
</param>
    <module name="ExtendedFieldSearch">
    <param name="replacementMap">
    <param name="arg"/>
    </param>
    <param name="intention">
    <param name="name">addterm</param>
    <param name="arg"/>
    </param>
    <param name="default">*</param>
    <param name="field">Sourcetype</param>

Thanks

Christian

Tags (1)

sideview
SplunkTrust
SplunkTrust

There are three modules in the core UI that provide similar functionality of a text box that can become an intention : FieldSearch, ExtendedFieldSearch and TextSetting.

Unfortunately they're all quite different and each has drawbacks.

In your particular case, you can get away with using the oldest module FieldSearch, which is probably the simplest. FieldSearch has a 'field' param which in your case you'd set to 'host', and it itself outputs an addterm intention directly. In other words you dont need to muck with ConvertToIntention.

ExtendedFieldSearch also outputs an intention but it's configuration is complex and not consistent with anything else so it's hard to get it right. I will say however that it definitely allows you to have a host="" prefix on the output so you are close. You might want to consult the UI Examples app if you havent already, for a couple examples of how to use it. (I think it has at least one).

TextSetting was intended to divorce the intention-creation step from the mere ui-element part. As such it is successful, however only a little early work was done on it so it doesnt have some of the subtleties that the other two have.

Of the 3 FieldSearch may work just fine and it's the simplest. ExtendedFieldSearch has evil configuration space but it can totally get you where you want to go wrt default value and wrapping in host="". TextSetting lacks some things like defaults I think.

And if you are up for it, there's an app on Splunkbase called sideview_utils that provides a bunch of alternate modules to use across all your apps. Notably a module called TextField that is very flexible and simple, and a module called Search that replaces HiddenSearch. Among other benefits, the whole idea of intentions is gone in that system so you might find it nice if you've learned to dislike intentions.

UPDATE: indeed the ui_examples app has 3 pages dedicated to ExtendedFieldSearch. Here is an example of correct config:

<module name="ExtendedFieldSearch">
  <param name="intention">
    <param name="name">addterm</param>
    <param name="arg">
      <param name="host"></param>
    </param>
  </param>
  <param name="replacementMap">
    <param name="arg">
      <param name="host"></param>
    </param>
  </param>
  <param name="default">somehost</param>
  <!--  unfortunate name. the 'field' param actually is  
        the 'label' of the element -->
  <param name="field">Host</param>

herterich
Explorer

Hi nick,

thanks a lot, now it works. I will have a look at the sideview app in the next days.
christian

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...