- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Adding intention to second drilldown search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding intention to second drilldown search
Hi,
I've got the advanced view below, which has the aim of producing a search-by-domain page for some Apache-like logs I've got Splunk indexing.
The idea here is that there is a textbox where you can enter a domain, which will produce a chart of the top 20 usernames accessing that domain. Clicking on a user produces a drilldown FlashTimeline showing every URL accessed by that user against that domain - basically, I want to drilldown with two variables, username and domain.
I've got two HiddenSearches - one for 'top 20 users given a domain' and then the drilldown one for 'all events for a given user and domain'. The first one works great, and I've got a stringreplace intention successfully inserting the domain from the text field into the search.
Unfortunately, this intention is only inserted into the first search - the second one just gets a literal $domain_setting$ (and the username intention, which works).
From reading other answers here, I'm guessing the $domain_setting$ variable is being consumed by the first search. I've tried using ConvertToIntention and ConvertToDrilldownSearch inside the second HiddenSearch, with no luck. What do I have to do to make the $domain_setting$ variable and/or the domain intention available for the second search?
<view>
<label>Contentkeeper Search Results - Search by Domain</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
<param name="field">domain</param>
<param name="label">Domain</param>
<param name="default">www.apple.com</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="domain_setting">
<param name="fillOnEmpty">True</param>
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="domain_setting">
<param name="value"></param>
</param>
</param>
</param>
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="selected">Last 60 minutes</param>
<module name="SubmitButton" layoutPanel="splSearchControls-inline">
<module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
<param name="search">sourcetype="contentkeeper" username!="ctu" username!="" domain="*$domain_setting$*" | top fullname</param>
<module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
<param name="entityName">results</param>
<param name="headerFormat">Top 20 users $time$</param>
</module>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
<param name="charting.chart">bar</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="enableResize">False</param>
<param name="height">300px</param>
<module name="HiddenSearch">
<param name="search">sourcetype="contentkeeper" username!="ctu" domain="*$domain_setting$*"</param>
<!-- Handle drilldown -->
<module name="ConvertToIntention">
<param name="preserveParentIntentions">True</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="fullname">$click.value$</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
</module>
<module name="FlashTimeline">
<param name="width">100%</param>
<param name="enableResize">False</param>
<param name="height">100px</param>
</module>
<module name="Paginator">
<param name="entityName">results</param>
<module name="SimpleResultsTable">
<param name="fields">_time url category client_ip</param>
</module>
</module>
</module> <!-- ConvertToIntention -->
</module> <!-- HiddenSearch -->
</module> <!-- FlashChart -->
</module> <!-- HiddenChartFormatter -->
</module> <!-- HiddenSearch -->
</module> <!-- SubmitButton -->
</module> <!-- TimeRangePicker -->
</module> <!-- ExtendedFieldSearch -->
</view>
Edit: OK, so thanks to erydberg, I've added another convertToIntention as per http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention. Unfortunately, no luck.
My current theory is that I'm not creating a setting with the ExtendedFieldSearch for the <param name="settingToConvert">domain</param> line. How do I go about doing that?
Here's what I've got now:
<view>
<label>Contentkeeper Search Results - Search by Domain</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
<param name="field">domain</param>
<param name="label">Domain</param>
<param name="default">www.apple.com</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="domain_intention">
<param name="fillOnEmpty">True</param>
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="domain_intention">
<param name="value"></param>
</param>
</param>
</param>
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="selected">Last 60 minutes</param>
<module name="SubmitButton" layoutPanel="splSearchControls-inline">
<module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
<param name="search">sourcetype="contentkeeper" username!="ctu" username!="" domain="*$domain_intention$*" | top fullname</param>
<module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
<param name="entityName">results</param>
<param name="headerFormat">Top 20 users $time$</param>
</module>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
<param name="charting.chart">bar</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="enableResize">False</param>
<param name="height">300px</param>
<!-- Handle drilldown -->
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="fullname">$click.value$</param>
</param>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">domain</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="domain">
<param name="fillOnEmpty">True</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="HiddenSearch">
<param name="search">sourcetype="contentkeeper" username!="ctu"</param>
<module name="JobProgressIndicator"></module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
</module>
<module name="FlashTimeline">
<param name="width">100%</param>
<param name="enableResize">False</param>
<param name="height">100px</param>
</module>
<module name="Paginator">
<param name="entityName">results</param>
<module name="SimpleResultsTable">
<param name="fields">_time url category client_ip</param>
</module>
</module>
</module> <!-- ConvertToIntention -->
</module> <!-- ConvertToIntention -->
</module> <!-- HiddenSearch -->
</module> <!-- FlashChart -->
</module> <!-- HiddenChartFormatter -->
</module> <!-- HiddenSearch -->
</module> <!-- SubmitButton -->
</module> <!-- TimeRangePicker -->
</module> <!-- ExtendedFieldSearch -->
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that ExtendedFieldSearch does not create a "setting", but instead creates a new "intention" directly. Therefore, when you try to convert the setting a second time to re-create the intention, it won't work.
One solution is to replace the ExtendedFieldSearch with a TextSetting module plus a ConvertToIntention. This will create a setting, and then convert it to an intention. When this intention is consumed, the setting will still be available for you to reconvert.
A new problem with this that you might run into is that TextSetting seems to be a little more limited than ExtendedFieldSearch, especially regarding seed values, default, and unspecified value behavior.
I haven't come across another way with the modules available as of 4.1.4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - using TextSetting does the trick, but you're right about it being limited. The idea was to have this particular page the target of a drilldown from another page, which TextSetting doesn't appear to work with.
So I guess I've got a choice between receiving that top-level drilldown using ExtendedFieldSearch (which has a default value that appears to be populated from the top-level drilldown intention), or using the TextSetting and having a slightly more intuitive bottom-level drilldown.
Thanks for the assistance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the answer to this question might help you: http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention
You need to add another intention to get you domain_name from your textbox again, it's consumed by the first search using it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for that. Unfortunately, no luck - I've posted my updated config above. One thought I had was that the new ConvertToIntention requires a setting, and I'm not sure I'm creating one with the ExtendedFieldSearch. How do I go about doing that?
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
