Splunk Search

SearchSelectLister

Dark_Ichigo
Builder

I have the following Advanced XML code that contains both a Static Select and a SearchSelectLister, My main goal is to achieve what has been achieved in the UI_Examples App under Listers 4: 2 listers driving multiple elements

I really Want to know why my second dropdown list isnt retrieving any values?, even though my search does contain only one field to collect:

<?xml version="1.0"?>
<view template="dashboard.html" stylesheet="application.css">
        <label>Listers</label>
        <module name="AccountBar" layoutPanel="appHeader"/>
        <module name="AppBar" layoutPanel="navigationHeader"/>
        <module name="TitleBar" layoutPanel="viewHeader">
                <param name="showActionsMenu">false</param>
        </module>




<module name="HiddenSearch" layoutPanel="mainSearchControls" autoRun="True">
      <module name="StaticSelect">
        <param name="settingToCreate">group</param>
        <param name="label">field:</param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="label">BUG</param>
            <param name="value">bug</param>
          </list>
          <list>
            <param name="label">WORM</param>
            <param name="value">worm</param>
          </list>
        </param>
    <module name="ConvertToIntention">
      <param name="settingToConvert">group</param>
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="service_setting">
          <param name="group">$target$</param>
        </param>
       </param>
        <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
        <param name="flags"><list>indexed</list></param>
      </param>


      <module name="SearchSelectLister">
        <param name="searchWhenChanged">True</param>

        <param name="settingToCreate">series_setting</param>
        <param name="label">value:</param>
        <param name="applyOuterIntentionsToInternalSearch">True</param>
        <!-- 
        NOTE: this param is only in 4.1.5 and up. 
        <param name="applyOuterTimeRangeToInternalSearch">True</param>
        -->
        <param name="search">`"SearchString that retrieves a field named ERROR"</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">ERROR</param>
            <param name="value">ERROR</param>
          </list>
         </param>
        <module name="ConvertToIntention">
          <param name="settingToConvert">series_setting</param>
          <param name="intention">
            <param name="name">addterm</param>
            <param name="arg">
            <param name="ERROR">
              <param name="series_setting">$target$</param>
            </param>
            </param>
            <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
            <param name="flags"><list>indexed</list></param>
          </param>


   </module>
   </module> 
   </module>
   </module>  
   </module>

</view>

Should I use EntitySelectLister instead?

Any Help would be Great!

----------------------------NICK!

What the difference between the two? addterm and stringplace?

and Why doesnt the SearchSelectLister extract the field it Generates?

It works for the ui_examples app, but why not with my search? :

`getSummaryIndex("All")`  | eval Service=case("service"="service",case(`isDownload`," Downloads",`isIngestion`,"Ingestion",`isAdmin`,"Admin"))  | stats sum(trans) by _time, Service | table Service | top limit=5 Service head 5
1 Solution

Dark_Ichigo
Builder

I figured out the problem, apparently UI_examples doesnt fully explain how the "SearchSelectLister" is meant to be used, the ui_examples sadly doesn't really document much of what is shown!

The following is the ultimate solution......Thanks but no thanks UI_Examples!

<module name="HiddenSearch" layoutPanel="mainSearchControls" autoRun="True">
     <module name="TimeRangePicker">
      <param name="searchWhenChanged">True</param>
      <module name="StaticSelect">
        <param name="settingToCreate">label</param>
        <param name="label">field:</param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="label">labeltime</param>
            <param name="value">labeltime</param>
          </list>
          <list>
            <param name="label">listtime</param>
            <param name="value">listtime</param>
          </list>
        </param>
        <module name="ConvertToIntention">
          <param name="settingToConvert">label</param>
          <param name="intention">
            <param name="name">stringreplace</param>
            <param name="arg">
            <param name="label">
              <param name="value">$target$</param>
           </param>
           </param>

            <param name="flags"><list>indexed</list></param>
          </param>


 <module name="SearchSelectLister">
           <param name="searchWhenChanged">True</param>

            <param name="settingToCreate">label</param>
            <param name="label">value:</param>

            <param name="applyOuterIntentionsToInternalSearch">True</param>

           <param name="search">`list($label$)`</param>
            <param name="searchFieldsToDisplay">
              <list>
                <param name="label">listtime</param>
                <param name="value">listtime</param>
              </list>
              <list>
                <param name="label">labeltime</param>
                <param name="value">labeltime</param>
              </list>

             </param>

Thanks again Nick!

View solution in original post

Dark_Ichigo
Builder

I figured out the problem, apparently UI_examples doesnt fully explain how the "SearchSelectLister" is meant to be used, the ui_examples sadly doesn't really document much of what is shown!

The following is the ultimate solution......Thanks but no thanks UI_Examples!

<module name="HiddenSearch" layoutPanel="mainSearchControls" autoRun="True">
     <module name="TimeRangePicker">
      <param name="searchWhenChanged">True</param>
      <module name="StaticSelect">
        <param name="settingToCreate">label</param>
        <param name="label">field:</param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="label">labeltime</param>
            <param name="value">labeltime</param>
          </list>
          <list>
            <param name="label">listtime</param>
            <param name="value">listtime</param>
          </list>
        </param>
        <module name="ConvertToIntention">
          <param name="settingToConvert">label</param>
          <param name="intention">
            <param name="name">stringreplace</param>
            <param name="arg">
            <param name="label">
              <param name="value">$target$</param>
           </param>
           </param>

            <param name="flags"><list>indexed</list></param>
          </param>


 <module name="SearchSelectLister">
           <param name="searchWhenChanged">True</param>

            <param name="settingToCreate">label</param>
            <param name="label">value:</param>

            <param name="applyOuterIntentionsToInternalSearch">True</param>

           <param name="search">`list($label$)`</param>
            <param name="searchFieldsToDisplay">
              <list>
                <param name="label">listtime</param>
                <param name="value">listtime</param>
              </list>
              <list>
                <param name="label">labeltime</param>
                <param name="value">labeltime</param>
              </list>

             </param>

Thanks again Nick!

helge
Builder

The param "applyOuterIntentionsToInternalSearch" is very helpful. Thanks.

0 Karma

immortalraghava
Path Finder

WHat it does ? Please explain

0 Karma

sideview
SplunkTrust
SplunkTrust

The only way to learn about intentions is hard -- you have to study the various addterm and stringreplace syntax in ui examples quite hard and figure it out. There are still no real docs that attempt an explanation outside of UI Examples. If you want to never use intentions again on the other hand, I would check out the Sideview Utils app.

sideview
SplunkTrust
SplunkTrust

Well addterm will only add searchterms. So in this case it would try and add a | service_setting="None" clause after your top clause. If you change the intention name to stringreplace on the other hand, it will look for $service_setting$ in the search string and substitute group=<bug_or_worm> instead. As I mentioned the intention structure you're using wont work for addterm (see below), and this 'group' and 'service' names are telling me that you've copied and pasted from different examples -- eg one where the example was showing a group= searchterm in the metrics log.

0 Karma

sideview
SplunkTrust
SplunkTrust

No, EntitySelectLister will do you no good here.

What's the actual search? You have it here as "SearchString that retrieves a field named ERROR"

Also, the intention syntax doesnt make much sense:

<param name="intention">
  <param name="name">addterm</param>
  <param name="arg">
    <param name="service_setting">
      <param name="group">$target$</param>
    </param>
  </param>

I think that if this does anything at all, it'll add a term into your search that might look like:

 serviceSetting=None

And it's quite possible that it's just being seen as invalid addterm syntax and ignored entirely.

I suspect that this is actually a stringreplace intention that's had the 'stringreplace' name replaced with addterm but the two are really quite different. In the UI Examples app you'll be able to find a genuine example of an 'addterm' intention to start from and I think the end product will look something like this:

<param name="intention">
  <param name="name">addterm</param>
  <param name="arg">
    <param name="group">$target$</param>
  </param>

You also might look at Sideview Utils. Sideview utils is a Splunk app that packages a number of new modules to supercede core Splunk User Interface Modules, and among other benefits you dont have to deal with intentions at all.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...