Splunk Search

How to use "Intention" to add search clauses after the "base search string"

leo_wang
Path Finder

I have read the this page about the concept of "Intention" : http://www.splunk.com/base/Splexicon:Intention

It says : "the addterm intention can safely add either foo or foo=bar to a search, and it can specify wither the term should be added to the first search clause, or added after any renames, rex clauses, and so on. "

I know how to use "addterm" to add "foo=bar" to a my base search, and this is the only one example I could find on the document, Is anyone know how to add an renames, rex clauses after the base search string?

leo_wang
Path Finder

I have such question because I'm designing a form search page like "Using form search patterns but retaining the SearchBar" in UI-Example. In this form search, the base search string is coming from the SearchBar,but I still need to add my own search clauses ( like rex,lookup,rename....etc) to control the search results, any ideas to my situation ?

gkanapathy
Splunk Employee
Splunk Employee

And probably just stringreplace plus macros would be sufficient.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I would simply use the stringreplace intention, HiddenPostProcess and/or macros. In my opinion, all other intentions are unnecessary and confusing.

0 Karma

sideview
SplunkTrust
SplunkTrust

Aside from stringreplace and addterm there are a couple other intentions but they are hardly ever used. There is one called 'addCommand' but it is surprisingly limited, probably not documented anywhere, not widely used and you should proceed very carefully if at all.

If you have a use case where its complex enough to where addterm wont work, you go to stringreplace. If for some reason the complexity of stringreplace is annoying or if the $foo$ tokens cannot be present in the search then you could use either a custom module or some custom JS in application.js to modify the search string directly.

gkanapathy
Splunk Employee
Splunk Employee

where were you hoping to use this? it's not clear to me that intentions are useful except in advanced XML, and there mostly because you have to use them. i mostly only have use for the stringreplace intention in that case, and i would rather be able to just construct the search string myself without the intentions getting in the way.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...