Splunk Search

Adding intention to second drilldown search

blinken
Explorer

Hi,

I've got the advanced view below, which has the aim of producing a search-by-domain page for some Apache-like logs I've got Splunk indexing.

The idea here is that there is a textbox where you can enter a domain, which will produce a chart of the top 20 usernames accessing that domain. Clicking on a user produces a drilldown FlashTimeline showing every URL accessed by that user against that domain - basically, I want to drilldown with two variables, username and domain.

I've got two HiddenSearches - one for 'top 20 users given a domain' and then the drilldown one for 'all events for a given user and domain'. The first one works great, and I've got a stringreplace intention successfully inserting the domain from the text field into the search.

Unfortunately, this intention is only inserted into the first search - the second one just gets a literal $domain_setting$ (and the username intention, which works).

From reading other answers here, I'm guessing the $domain_setting$ variable is being consumed by the first search. I've tried using ConvertToIntention and ConvertToDrilldownSearch inside the second HiddenSearch, with no luck. What do I have to do to make the $domain_setting$ variable and/or the domain intention available for the second search?

    <view>
      <label>Contentkeeper Search Results - Search by Domain</label>
      <module name="AccountBar" layoutPanel="appHeader"/>
      <module name="AppBar" layoutPanel="navigationHeader"/>
      <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
      </module>


      <module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
        <param name="field">domain</param>
        <param name="label">Domain</param>
        <param name="default">www.apple.com</param>
        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
            <param name="domain_setting">
              <param name="fillOnEmpty">True</param>
              <param name="value"></param>
            </param>
          </param>
        </param>
        <param name="replacementMap">
          <param name="arg">
            <param name="domain_setting">
              <param name="value"></param>
            </param>
          </param>
        </param>
        <module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
          <param name="selected">Last 60 minutes</param>

          <module name="SubmitButton" layoutPanel="splSearchControls-inline">

            <module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
              <param name="search">sourcetype="contentkeeper"  username!="ctu" username!="" domain="*$domain_setting$*" | top fullname</param>

              <module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
                  <param name="entityName">results</param>
                  <param name="headerFormat">Top 20 users $time$</param>
              </module>

              <module name="JobProgressIndicator"></module>

              <module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
                <param name="charting.chart">bar</param>

                <module name="FlashChart">
                  <param name="width">100%</param>
                  <param name="enableResize">False</param>
                  <param name="height">300px</param>

                  <module name="HiddenSearch">
                    <param name="search">sourcetype="contentkeeper" username!="ctu" domain="*$domain_setting$*"</param>

                    <!-- Handle drilldown -->
                    <module name="ConvertToIntention">
                      <param name="preserveParentIntentions">True</param> 
                      <param name="intention">
                        <param name="name">addterm</param>
                        <param name="arg">
                          <param name="fullname">$click.value$</param>
                        </param>
                      </param>

                      <module name="JobProgressIndicator"></module>

                      <module name="SimpleResultsHeader">
                        <param name="entityName">results</param>
                        <param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
                      </module>

                      <module name="FlashTimeline">
                        <param name="width">100%</param>
                        <param name="enableResize">False</param>
                        <param name="height">100px</param>
                      </module>

                      <module name="Paginator">
                        <param name="entityName">results</param>
                        <module name="SimpleResultsTable">
                          <param name="fields">_time url category client_ip</param>
                        </module>
                      </module>

                    </module> <!-- ConvertToIntention -->
                  </module>  <!-- HiddenSearch -->
                </module> <!-- FlashChart -->
              </module> <!-- HiddenChartFormatter -->

            </module> <!-- HiddenSearch -->

          </module> <!-- SubmitButton -->
        </module> <!-- TimeRangePicker -->

      </module> <!-- ExtendedFieldSearch -->

    </view>

Edit: OK, so thanks to erydberg, I've added another convertToIntention as per http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention. Unfortunately, no luck.

My current theory is that I'm not creating a setting with the ExtendedFieldSearch for the <param name="settingToConvert">domain</param> line. How do I go about doing that?

Here's what I've got now:

<view>
  <label>Contentkeeper Search Results - Search by Domain</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>


  <module name="ExtendedFieldSearch" layoutPanel="splSearchControls-inline">
    <param name="field">domain</param>
    <param name="label">Domain</param>
    <param name="default">www.apple.com</param>
    <param name="intention">
      <param name="name">stringreplace</param>
      <param name="arg">
        <param name="domain_intention">
          <param name="fillOnEmpty">True</param>
          <param name="value"></param>
        </param>
      </param>
    </param>
    <param name="replacementMap">
      <param name="arg">
        <param name="domain_intention">
          <param name="value"></param>
        </param>
      </param>
    </param>
    <module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
      <param name="selected">Last 60 minutes</param>

      <module name="SubmitButton" layoutPanel="splSearchControls-inline">

        <module name="HiddenSearch" layoutPanel="resultsAreaLeft" group="Top 20 users in the last 24 hours" autoRun="True">
          <param name="search">sourcetype="contentkeeper"  username!="ctu" username!="" domain="*$domain_intention$*" | top fullname</param>

          <module name="SimpleResultsHeader" layoutPanel="resultsAreaLeft">
              <param name="entityName">results</param>
              <param name="headerFormat">Top 20 users $time$</param>
          </module>

          <module name="JobProgressIndicator"></module>

          <module name="HiddenChartFormatter" layoutPanel="resultsAreaLeft">
            <param name="charting.chart">bar</param>

            <module name="FlashChart">
              <param name="width">100%</param>
              <param name="enableResize">False</param>
              <param name="height">300px</param>

              <!-- Handle drilldown -->
              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">addterm</param>
                  <param name="arg">
                    <param name="fullname">$click.value$</param>
                  </param>
                </param>

                <module name="ConvertToIntention">
                  <param name="settingToConvert">domain</param> 
                  <param name="intention">
                    <param name="name">addterm</param>
                    <param name="arg">
                      <param name="domain">
                        <param name="fillOnEmpty">True</param>
                        <param name="value">$target$</param>
                      </param>
                    </param>
                  </param>

                  <module name="HiddenSearch">
                    <param name="search">sourcetype="contentkeeper" username!="ctu"</param>

                    <module name="JobProgressIndicator"></module>

                    <module name="SimpleResultsHeader">
                      <param name="entityName">results</param>
                      <param name="headerFormat">$count$ URLs for $click.value$ $time$</param>
                    </module>

                    <module name="FlashTimeline">
                      <param name="width">100%</param>
                      <param name="enableResize">False</param>
                      <param name="height">100px</param>
                    </module>

                    <module name="Paginator">
                      <param name="entityName">results</param>
                      <module name="SimpleResultsTable">
                        <param name="fields">_time url category client_ip</param>
                      </module>
                    </module>

                  </module> <!-- ConvertToIntention -->
                </module> <!-- ConvertToIntention -->
              </module>  <!-- HiddenSearch -->
            </module> <!-- FlashChart -->
          </module> <!-- HiddenChartFormatter -->

        </module> <!-- HiddenSearch -->

      </module> <!-- SubmitButton -->
    </module> <!-- TimeRangePicker -->

  </module> <!-- ExtendedFieldSearch -->

</view>
Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

The problem is that ExtendedFieldSearch does not create a "setting", but instead creates a new "intention" directly. Therefore, when you try to convert the setting a second time to re-create the intention, it won't work.

One solution is to replace the ExtendedFieldSearch with a TextSetting module plus a ConvertToIntention. This will create a setting, and then convert it to an intention. When this intention is consumed, the setting will still be available for you to reconvert.

A new problem with this that you might run into is that TextSetting seems to be a little more limited than ExtendedFieldSearch, especially regarding seed values, default, and unspecified value behavior.

I haven't come across another way with the modules available as of 4.1.4.

blinken
Explorer

Thanks - using TextSetting does the trick, but you're right about it being limited. The idea was to have this particular page the target of a drilldown from another page, which TextSetting doesn't appear to work with.

So I guess I've got a choice between receiving that top-level drilldown using ExtendedFieldSearch (which has a default value that appears to be populated from the top-level drilldown intention), or using the TextSetting and having a slightly more intuitive bottom-level drilldown.

Thanks for the assistance!

0 Karma

erydberg
Splunk Employee
Splunk Employee

I think the answer to this question might help you: http://answers.splunk.com/questions/3472/drilldown-with-stringreplace-intention

You need to add another intention to get you domain_name from your textbox again, it's consumed by the first search using it.

0 Karma

blinken
Explorer

Thanks for that. Unfortunately, no luck - I've posted my updated config above. One thought I had was that the new ConvertToIntention requires a setting, and I'm not sure I'm creating one with the ExtendedFieldSearch. How do I go about doing that?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...