I’m attempting to make an Advanced XML dashboard that drills down from one chart to another chart. I’ve used a UI Example to get me started.
The first search chart comes up fine. Unfortunately, I can’t get the drilldown search to display any results. I think the nature of my query is causing problems with the ConvertToIntention module. The unusual element in my two searches (top and drilldown) is that it’s a dbquery (i.e. DB Connect).
My first HiddenSearch query contains:
| dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "Fix Version"
This creates a column chart exactly as I want. When the user clicks on a column, it passes the Fix Version to a drilldown search which is in the XML as:
| dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE"
(“[STUFF]” is the same in each search).
When I try that search alone in a search window it seems to behave fine (except that it’s for all Fix Versions). But, when I inspect the drilldown search, Splunk reports it’s trying to do this:
None | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE" | search "Fix Version"="13.3.0"
And, what I believe I need is this (which in a search window does just what I want):
| dbquery JIRA limit=1000 "select [STUFF]" | search "Fix Version"="13.3.0" | chart count("pkey") by "ASSIGNEE"
So, the added search term seems to showing up in the wrong place. How can I fix that?
Thanks,
John
It sounds like you're using an 'addterm' intention, when here you need a 'stringreplace' intention.
the 'addterm' intention had that behavior where it will ultimately take the argument and try to add it as a simple searchterm in a search clause. And if there is a reporting command involved, addterm will happily tack on a whole other search clause just like that.
the 'stringreplace' intention on the other hand, while a lot harder to work with, is for substituting the given argument into a $foo$ token in the search as specified by a HiddenSearch module.
Incidentally you might want to look at Sideview Utils. It brings in a lot of practical improvements, a lot of which make drilldowns easier to set up and maintain. The most important being that you don't have to use or think about intentions at all anymore - with Sideview Utils you can just plug your arguments right into the $foo$ tokens and skip the messy middle part of fighting with the intention system.