Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use "Intention" to add search clauses after the "base search string"

leo_wang
Path Finder
‎09-24-2010 09:20 AM

I have read the this page about the concept of "Intention" : http://www.splunk.com/base/Splexicon:Intention

It says : "the addterm intention can safely add either foo or foo=bar to a search, and it can specify wither the term should be added to the first search clause, or added after any renames, rex clauses, and so on. "

I know how to use "addterm" to add "foo=bar" to a my base search, and this is the only one example I could find on the document, Is anyone know how to add an renames, rex clauses after the base search string?

Reply

leo_wang
Path Finder
‎09-29-2010 03:21 AM

I have such question because I'm designing a form search page like "Using form search patterns but retaining the SearchBar" in UI-Example. In this form search, the base search string is coming from the SearchBar,but I still need to add my own search clauses ( like rex,lookup,rename....etc) to control the search results, any ideas to my situation ?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-29-2010 03:59 AM

And probably just stringreplace plus macros would be sufficient.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-29-2010 03:58 AM

I would simply use the stringreplace intention, HiddenPostProcess and/or macros. In my opinion, all other intentions are unnecessary and confusing.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 08:58 PM

Aside from stringreplace and addterm there are a couple other intentions but they are hardly ever used. There is one called 'addCommand' but it is surprisingly limited, probably not documented anywhere, not widely used and you should proceed very carefully if at all.

If you have a use case where its complex enough to where addterm wont work, you go to stringreplace. If for some reason the complexity of stringreplace is annoying or if the $foo$ tokens cannot be present in the search then you could use either a custom module or some custom JS in application.js to modify the search string directly.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-26-2010 12:19 AM

where were you hoping to use this? it's not clear to me that intentions are useful except in advanced XML, and there mostly because you have to use them. i mostly only have use for the stringreplace intention in that case, and i would rather be able to just construct the search string myself without the intentions getting in the way.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...