Knowledge Management

can a ConvertToIntention work on a HiddenPostProcess?

tsmithsplunk
Path Finder

(splunk 4.2) I have a base search from a HiddenSavedSearch. I then use a HiddenPostProcess to chart the results. Then for drilldown within the chart, I have another HiddenPostProcess with a stringreplace ConvertToIntention. It appears to me that the token in this inner HiddenPostProcess is not getting replaced. When clicking on a series in the chart I get nothing. Here's a code fragment:

<module name="HiddenPostProcess">
    <param name="search">where applog_orgName="$ORGNAME$" | timechart count span=1h</param>

    <module name="ConvertToIntention">
        <param name="intention">
            <param name="name">stringreplace</param>
            <param name="arg">
                 <param name="ORGNAME">
                      <param name="value">$click.value$</param>
                 </param>
            </param>

            <param name="flags">
                 <list>indexed</list>
            </param>
        </param>

I've tried the addterm intention instead, but the drilldown ignores it and just shows results without further filtering. I assume its not possible to use "addterm" with a HiddenSavedSearch. I've been perusing the UI examples download, but nothing has jumped out as another alternative.

Users will not wait around for several minutes while a realtime search runs. The base search must be a saved search. Is there no way to filter a saved search with a user selected value? Thanks!

1 Solution

sideview
SplunkTrust
SplunkTrust

No, but it's easy to do with Sideview Utils. Sideview Utils is a Splunk app that brings with it a number of new modules that augment and extend the Splunk UI. Of these, there is the PostProcess module, which is like the core module HiddenPostProcess, except that it can do $foo$ substitution.

However, it just does the substitution directly using the created token -- there is no intention acting as middleman. In fact with Sideview Utils you can write all your views going forward with no intentions at all and you can gradually retool all your existing views such that you'll never have to think about intentions again.

For example, if upstream you had a module that was putting out a key called "ORGNAME", you would just do this:

<module name="PostProcess">
  <param name="search">where applog_orgName="$ORGNAME$" | timechart count span=1h</param>

That's really just the beginning though. The improvements are really dramatic and exist all across the board. For instance if your "ORGNAME" was coming from an ExtendedFieldSearch, you would have a basic ExtendedFieldSearch config like so:

<module name="ExtendedFieldSearch">
  <param name="label">Organization Name</param>
  <param name="field">ORGNAME</param>
  <param name="replacementMap">
    <param name="arg">
      <param name="ORGNAME">
        <param name="value"></param>
      </param>
    </param>
  </param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="ORGNAME">
        <param name="default"></param>
        <param name="fillOnEmpty">True</param>
      </param>
    </param>
  </param>

Whereas Sideview Utils offers the module TextField which can completely replace ExtendedFieldSearch, and the TextField config to replace the above ExtendedFieldSearch config looks quite a lot simpler:

<module name="TextField">
  <param name="name">ORGNAME</param>
  <param name="label">Organization Name</param>

But check out Sideview Utils by getting the latest copy (2.2.2) from the Sideview site.

There are dozens of dramatic improvements like this, and the app contains a great deal of examples and documentation that will walk you through all of the benefits.

View solution in original post

sideview
SplunkTrust
SplunkTrust

No, but it's easy to do with Sideview Utils. Sideview Utils is a Splunk app that brings with it a number of new modules that augment and extend the Splunk UI. Of these, there is the PostProcess module, which is like the core module HiddenPostProcess, except that it can do $foo$ substitution.

However, it just does the substitution directly using the created token -- there is no intention acting as middleman. In fact with Sideview Utils you can write all your views going forward with no intentions at all and you can gradually retool all your existing views such that you'll never have to think about intentions again.

For example, if upstream you had a module that was putting out a key called "ORGNAME", you would just do this:

<module name="PostProcess">
  <param name="search">where applog_orgName="$ORGNAME$" | timechart count span=1h</param>

That's really just the beginning though. The improvements are really dramatic and exist all across the board. For instance if your "ORGNAME" was coming from an ExtendedFieldSearch, you would have a basic ExtendedFieldSearch config like so:

<module name="ExtendedFieldSearch">
  <param name="label">Organization Name</param>
  <param name="field">ORGNAME</param>
  <param name="replacementMap">
    <param name="arg">
      <param name="ORGNAME">
        <param name="value"></param>
      </param>
    </param>
  </param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="ORGNAME">
        <param name="default"></param>
        <param name="fillOnEmpty">True</param>
      </param>
    </param>
  </param>

Whereas Sideview Utils offers the module TextField which can completely replace ExtendedFieldSearch, and the TextField config to replace the above ExtendedFieldSearch config looks quite a lot simpler:

<module name="TextField">
  <param name="name">ORGNAME</param>
  <param name="label">Organization Name</param>

But check out Sideview Utils by getting the latest copy (2.2.2) from the Sideview site.

There are dozens of dramatic improvements like this, and the app contains a great deal of examples and documentation that will walk you through all of the benefits.

slierninja
Communicator

Thanks for adding support for tokens in PostProcess to extend the HiddenPostProcess module. I was having trouble getting the Tabs working with a subsearch in the downstream modules. You rock!

0 Karma

sideview
SplunkTrust
SplunkTrust

Excellent! Well you're just at the beginning really. There are all kinds of really big improvements like that across the system. Keep working your way through the embedded tutorial/docs. http://sideviewapps.com/apps/sideview-utils/testimonials/

tsmithsplunk
Path Finder

Wow, that was easy!! I eliminated the ConvertToIntention module completely and just plugged in $click.value$. Every Splunk customizer needs SideviewUtils.

jonuwz
Influencer

You can't use intentions in post process.

That said, you can work around this by specifying a search that loads the results from a saved search, and applying your intentions to that.

i.e.

<module name="HiddenSearch">
<param name="search"> | loadjob savedsearch="user:app:saved_search_name" | apply_your_intentions here </param>

The down side is that this will count as 1 search against the users maximum quota.

So if the user can run 3 concurrent searches, this will count as 1.

Alternatively, look into the sideview utils, where you can use variable substitution in post process.

jonuwz
Influencer

Hi. I use this in production environments today.

And you're absolutely right - you have to give the saved search App level permissions ( and make sure your users have read access to the saved search)

0 Karma

tsmithsplunk
Path Finder

this may indeed work, but I have yet to see it. Must the saved search be "public"? Mine is private right now.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...