Splunk Search

Adding intention to second drilldown search

blinken
Explorer

Hi,

I've got the advanced view below, which has the aim of producing a search-by-domain page for some Apache-like logs I've got Splunk indexing.

The idea here is that there is a textbox where you can enter a domain, which will produce a chart of the top 20 usernames accessing that domain. Clicking on a user produces a drilldown FlashTimeline showing every URL accessed by that user against that domain - basically, I want to drilldown with two variables, username and domain.

I've got two HiddenSearches - one for 'top 20 users given a domain' and then the drilldown one for 'all events for a given user and domain'. The first one works great, and I've got a stringreplace intention successfully inserting the domain from the text field into the search.

Unfortunately, this intention is only inserted into the first search - the second one just gets a literal $domain_setting$ (and the username intention, which works).

From reading other answers here, I'm guessing the $domain_setting$ variable is being consumed by the first search. I've tried using ConvertToIntention and ConvertToDrilldownSearch inside the second HiddenSearch, with no luck. What do I have to do to make the $domain_setting$ variable and/or the domain intention available for the second search?

    <view>
      <label>Contentkeeper Search Results - Search by Domain</label>
      <module name="AccountBar" layoutPanel="appHeader"/>
      <module name="AppBar" layoutPanel="navigationHeader"/>
      <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
      </module>


      <module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
        <param name="field">domain</param>
        <param name="label">Domain</param>
        <param name="default">www.apple.com</param>
        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
            <param name="domain_setting">
              <param name="fillOnEmpty">True</param>
              <param name="value"></param>
            </param>
          </param>
        </param>
        <param name="replacementMap">
          <param name="arg">
            <param name="domain_setting">
              <param name="value"></param>
            </param>
          </param>
        </param>
        <module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
          <param name="selected">Last 60 minutes</param>

          <module name="SubmitButton" layoutPanel="splSearchControls-inline">

            <module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
              <param name="search">sourcetype="contentkeeper"  username!="ctu" username!="" domain="*$domain_setting$*" | top fullname</param>

              <module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
                  <param name="entityName">results</param>
                  <param name="headerFormat">Top 20 users $time$</param>
              </module>

              <module name="JobProgressIndicator"></module>

              <module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
                <param name="charting.chart">bar</param>

                <module name="FlashChart">
                  <param name="width">100%</param>
                  <param name="enableResize">False</param>
                  <param name="height">300px</param>

                  <module name="HiddenSearch">
                    <param name="search">sourcetype="contentkeeper" username!="ctu" domain="*$domain_setting$*"</param>

                    <!-- Handle drilldown -->
                    <module name="ConvertToIntention">
                      <param name="preserveParentIntentions">True</param> 
                      <param name="intention">
                        <param name="name">addterm</param>
                        <param name="arg">
                          <param name="fullname">$click.value$</param>
                        </param>
                      </param>

                      <module name="JobProgressIndicator"></module>

                      <module name="SimpleResultsHeader">
                        <param name="entityName">results</param>
                        <param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
                      </module>

                      <module name="FlashTimeline">
                        <param name="width">100%</param>
                        <param name="enableResize">False</param>
                        <param name="height">100px</param>
                      </module>

                      <module name="Paginator">
                        <param name="entityName">results</param>
                        <module name="SimpleResultsTable">
                          <param name="fields">_time url category client_ip</param>
                        </module>
                      </module>

                    </module> <!-- ConvertToIntention -->
                  </module>  <!-- HiddenSearch -->
                </module> <!-- FlashChart -->
              </module> <!-- HiddenChartFormatter -->

            </module> <!-- HiddenSearch -->

          </module> <!-- SubmitButton -->
        </module> <!-- TimeRangePicker -->

      </module> <!-- ExtendedFieldSearch -->

    </view>

Edit: OK, so thanks to erydberg, I've added another convertToIntention as per http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention. Unfortunately, no luck.

My current theory is that I'm not creating a setting with the ExtendedFieldSearch for the <param name="settingToConvert">domain</param> line. How do I go about doing that?

Here's what I've got now:

<view>
  <label>Contentkeeper Search Results - Search by Domain</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>


  <module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
    <param name="field">domain</param>
    <param name="label">Domain</param>
    <param name="default">www.apple.com</param>
    <param name="intention">
      <param name="name">stringreplace</param>
      <param name="arg">
        <param name="domain_intention">
          <param name="fillOnEmpty">True</param>
          <param name="value"></param>
        </param>
      </param>
    </param>
    <param name="replacementMap">
      <param name="arg">
        <param name="domain_intention">
          <param name="value"></param>
        </param>
      </param>
    </param>
    <module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
      <param name="selected">Last 60 minutes</param>

      <module name="SubmitButton" layoutPanel="splSearchControls-inline">

        <module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
          <param name="search">sourcetype="contentkeeper"  username!="ctu" username!="" domain="*$domain_intention$*" | top fullname</param>

          <module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
              <param name="entityName">results</param>
              <param name="headerFormat">Top 20 users $time$</param>
          </module>

          <module name="JobProgressIndicator"></module>

          <module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
            <param name="charting.chart">bar</param>

            <module name="FlashChart">
              <param name="width">100%</param>
              <param name="enableResize">False</param>
              <param name="height">300px</param>

              <!-- Handle drilldown -->
              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">addterm</param>
                  <param name="arg">
                    <param name="fullname">$click.value$</param>
                  </param>
                </param>

                <module name="ConvertToIntention">
                  <param name="settingToConvert">domain</param> 
                  <param name="intention">
                    <param name="name">addterm</param>
                    <param name="arg">
                      <param name="domain">
                        <param name="fillOnEmpty">True</param>
                        <param name="value">$target$</param>
                      </param>
                    </param>
                  </param>

                  <module name="HiddenSearch">
                    <param name="search">sourcetype="contentkeeper" username!="ctu"</param>

                    <module name="JobProgressIndicator"></module>

                    <module name="SimpleResultsHeader">
                      <param name="entityName">results</param>
                      <param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
                    </module>

                    <module name="FlashTimeline">
                      <param name="width">100%</param>
                      <param name="enableResize">False</param>
                      <param name="height">100px</param>
                    </module>

                    <module name="Paginator">
                      <param name="entityName">results</param>
                      <module name="SimpleResultsTable">
                        <param name="fields">_time url category client_ip</param>
                      </module>
                    </module>

                  </module> <!-- ConvertToIntention -->
                </module> <!-- ConvertToIntention -->
              </module>  <!-- HiddenSearch -->
            </module> <!-- FlashChart -->
          </module> <!-- HiddenChartFormatter -->

        </module> <!-- HiddenSearch -->

      </module> <!-- SubmitButton -->
    </module> <!-- TimeRangePicker -->

  </module> <!-- ExtendedFieldSearch -->

</view>
Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

The problem is that ExtendedFieldSearch does not create a "setting", but instead creates a new "intention" directly. Therefore, when you try to convert the setting a second time to re-create the intention, it won't work.

One solution is to replace the ExtendedFieldSearch with a TextSetting module plus a ConvertToIntention. This will create a setting, and then convert it to an intention. When this intention is consumed, the setting will still be available for you to reconvert.

A new problem with this that you might run into is that TextSetting seems to be a little more limited than ExtendedFieldSearch, especially regarding seed values, default, and unspecified value behavior.

I haven't come across another way with the modules available as of 4.1.4.

blinken
Explorer

Thanks - using TextSetting does the trick, but you're right about it being limited. The idea was to have this particular page the target of a drilldown from another page, which TextSetting doesn't appear to work with.

So I guess I've got a choice between receiving that top-level drilldown using ExtendedFieldSearch (which has a default value that appears to be populated from the top-level drilldown intention), or using the TextSetting and having a slightly more intuitive bottom-level drilldown.

Thanks for the assistance!

0 Karma

erydberg
Splunk Employee
Splunk Employee

I think the answer to this question might help you: http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention

You need to add another intention to get you domain_name from your textbox again, it's consumed by the first search using it.

0 Karma

blinken
Explorer

Thanks for that. Unfortunately, no luck - I've posted my updated config above. One thought I had was that the new ConvertToIntention requires a setting, and I'm not sure I'm creating one with the ExtendedFieldSearch. How do I go about doing that?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...