Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DB Connect and ConvertToIntention Problem

vrmerlin
New Member
‎04-29-2013 01:26 PM

I’m attempting to make an Advanced XML dashboard that drills down from one chart to another chart. I’ve used a UI Example to get me started.

The first search chart comes up fine. Unfortunately, I can’t get the drilldown search to display any results. I think the nature of my query is causing problems with the ConvertToIntention module. The unusual element in my two searches (top and drilldown) is that it’s a dbquery (i.e. DB Connect).

My first HiddenSearch query contains:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "Fix Version"

This creates a column chart exactly as I want. When the user clicks on a column, it passes the Fix Version to a drilldown search which is in the XML as:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE"

(“[STUFF]” is the same in each search).

When I try that search alone in a search window it seems to behave fine (except that it’s for all Fix Versions). But, when I inspect the drilldown search, Splunk reports it’s trying to do this:

  None | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE" | search "Fix Version"="13.3.0"

And, what I believe I need is this (which in a search window does just what I want):

  | dbquery JIRA limit=1000 "select [STUFF]" | search "Fix Version"="13.3.0" | chart count("pkey") by "ASSIGNEE"

So, the added search term seems to showing up in the wrong place. How can I fix that?

Thanks,
John

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-29-2013 07:16 PM

It sounds like you're using an 'addterm' intention, when here you need a 'stringreplace' intention.

the 'addterm' intention had that behavior where it will ultimately take the argument and try to add it as a simple searchterm in a search clause. And if there is a reporting command involved, addterm will happily tack on a whole other search clause just like that.

the 'stringreplace' intention on the other hand, while a lot harder to work with, is for substituting the given argument into a $foo$ token in the search as specified by a HiddenSearch module.

Incidentally you might want to look at Sideview Utils. It brings in a lot of practical improvements, a lot of which make drilldowns easier to set up and maintain. The most important being that you don't have to use or think about intentions at all anymore - with Sideview Utils you can just plug your arguments right into the $foo$ tokens and skip the messy middle part of fighting with the intention system.

http://sideviewapps.com/apps/sideview-utils

0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...