Splunk Search

Drilldown not working with Join Command

slierninja
Communicator

I figured out how to create monthly buckets using the join command, but now I cannot drilldown into my results. Can someone help me figure out how to rewrite my query or enable drilldowns using the join command?

Splunk Error Message

Encountered an unexpected error while parsing intentions.

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'join' command.

Query

index="myIndex" host=myHost daysago=30 | stats Count as 30Days by username | 
join username [search index="myIndex" host=myHost daysago=60 | stats Count as 60Days by username] | join username [search index="myIndex" host=myHost daysago=90 | stats Count as 90Days by username] | join username [search index="myIndex" host=myHost daysago=120 | stats Count as 120Days by username]|fields username, 30Days, 60Days, 90Days, 120Days
0 Karma
1 Solution

slierninja
Communicator

In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.

After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:


    
        True
        flashtimeline
        search index="myIndex" host=myHost username="$click.value$" eventtype="#$click.name2$" | stats values(cs_uri_stem) as "Pages Accessed", count as "[Pages Viewed $click.name2$]" by  username" 
    

The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.

View solution in original post

slierninja
Communicator

In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.

After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:


    
        True
        flashtimeline
        search index="myIndex" host=myHost username="$click.value$" eventtype="#$click.name2$" | stats values(cs_uri_stem) as "Pages Accessed", count as "[Pages Viewed $click.name2$]" by  username" 
    

The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...