In the following abbreviated search, is there anyway to have drilldown work properly when using an addtotals or when trying to format numbers with an eval command after the search. I can't seem to get rid of errors such as the following:
PARSER: Applying intentions failed Drilldown error: unable to drill down from 'stats count as NbrReports by User '
searchstuff......|eval User = UserName." --- ".UserId
| stats count as NbrReports by User
| addtotals fieldname=NbrReports col=true row=false
or
searchstuff...... |eval User = UserName." --- ".UserId
| convert mstime(TotalReportRunTime) AS nbrSeconds
| stats count as NbrReports, avg(nbrSeconds) as AvgRunTime by User
| eval AvgRunTime = strftime(AvgRunTime, "%M:%S.%3N")
The user wants to be able to click on the User field which is a link. And of course the system adds the | search User="xxxxxx --- xx1234" to the end of the text (for the new search caused by the drilldown), after the addtotals or after the eval which apparently breaks the syntax for the parser.
There are a few things that you can do, though some of them probably won't work in your specific case:
The easiest choice for you is to simply turn off the drilldown. The best choice is probably to use Advanced XML, but that is a bit of work and it may not be worth your while. Look here in the Developing... manual for more information.
Finally, you could separate the fields, which would change your search to
searchstuff...... |
| convert mstime(TotalReportRunTime) AS nbrSeconds
| stats count as NbrReports, avg(nbrSeconds) as AvgRunTime by UserName UserId
| fieldformat AvgRunTime = strftime(AvgRunTime, "%M:%S.%3N")
I can't think of anything else that would help, but maybe someone else will have an idea...
@lguinn, I'm using an Advanced XML dashboard with row drilldown and I also see this problem. What exactly is the advanced XML workaround? For my particular table it doesn't make sense to use cell drilldown.
Yes, if you want more control of the visualization, you need to put the report in a dashboard. Then you can change the table parameters.
There is no other way to tell Splunk explicitly how to do the drilldown. You could put in an enhancement request by submitting a ticket at https://www.splunk.com/index.php/submit_issue
I shouldn't have said "leading pipe character" since the user clicked on a concatenated field, but I think it could algorithmically be done so that it would both parse correctly and display appropriate results.
Unfortunately the fieldformat command causes the exact same problem as the eval command, namely:
PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'fieldformat' command
and no results appear in the popped up window.
Also, I'm using the default Search app, so I guess I shouldn't modify the table parameters.
It seems to me that it would be simple (and desirable) for the system to add the clicked-on search term before the leading pipe character in the main search. Then everything would work as expected. (at least expected by me.)