Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Drilldown not working with Join Command

slierninja
Communicator
‎11-02-2012 07:38 AM

I figured out how to create monthly buckets using the join command, but now I cannot drilldown into my results. Can someone help me figure out how to rewrite my query or enable drilldowns using the join command?

Splunk Error Message

Encountered an unexpected error while parsing intentions.

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'join' command.

Query

index="myIndex" host=myHost daysago=30 | stats Count as 30Days by username | 
join username [search index="myIndex" host=myHost daysago=60 | stats Count as 60Days by username] | join username [search index="myIndex" host=myHost daysago=90 | stats Count as 90Days by username] | join username [search index="myIndex" host=myHost daysago=120 | stats Count as 120Days by username]|fields username, 30Days, 60Days, 90Days, 120Days
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

slierninja
Communicator
‎11-06-2012 11:08 PM

In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.

After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:


    
        True
        flashtimeline
        search index="myIndex" host=myHost username="$click.value$" eventtype="#$click.name2$" | stats values(cs_uri_stem) as "Pages Accessed", count as "[Pages Viewed $click.name2$]" by  username"

The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.

View solution in original post

Reply
Solved! Jump to solution
Solution

slierninja
Communicator
‎11-06-2012 11:08 PM

In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.

After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:


    
        True
        flashtimeline
        search index="myIndex" host=myHost username="$click.value$" eventtype="#$click.name2$" | stats values(cs_uri_stem) as "Pages Accessed", count as "[Pages Viewed $click.name2$]" by  username"

The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...