Splunk Search

How to use "Intention" to add search clauses after the "base search string"

Path Finder

I have read the this page about the concept of "Intention" : http://www.splunk.com/base/Splexicon:Intention

It says : "the addterm intention can safely add either foo or foo=bar to a search, and it can specify wither the term should be added to the first search clause, or added after any renames, rex clauses, and so on. "

I know how to use "addterm" to add "foo=bar" to a my base search, and this is the only one example I could find on the document, Is anyone know how to add an renames, rex clauses after the base search string?

Path Finder

I have such question because I'm designing a form search page like "Using form search patterns but retaining the SearchBar" in UI-Example. In this form search, the base search string is coming from the SearchBar,but I still need to add my own search clauses ( like rex,lookup,rename....etc) to control the search results, any ideas to my situation ?

Splunk Employee
Splunk Employee

And probably just stringreplace plus macros would be sufficient.

0 Karma

Splunk Employee
Splunk Employee

I would simply use the stringreplace intention, HiddenPostProcess and/or macros. In my opinion, all other intentions are unnecessary and confusing.

0 Karma

SplunkTrust
SplunkTrust

Aside from stringreplace and addterm there are a couple other intentions but they are hardly ever used. There is one called 'addCommand' but it is surprisingly limited, probably not documented anywhere, not widely used and you should proceed very carefully if at all.

If you have a use case where its complex enough to where addterm wont work, you go to stringreplace. If for some reason the complexity of stringreplace is annoying or if the $foo$ tokens cannot be present in the search then you could use either a custom module or some custom JS in application.js to modify the search string directly.

Splunk Employee
Splunk Employee

where were you hoping to use this? it's not clear to me that intentions are useful except in advanced XML, and there mostly because you have to use them. i mostly only have use for the stringreplace intention in that case, and i would rather be able to just construct the search string myself without the intentions getting in the way.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!