Hi All,
I am creating a dashboard with a table, which when clicked will open another chart in the same dashboard depending on the click value. I am using a covertTointention for this. But this not behaving as i wanted it to be. Following is the setting i am using.
<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">| inputlookup address | stats values(address) as device_ip by hostname location model | sort hostname</param>
<module name="JobProgressIndicator" />
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="Paginator">
<param name="count">25</param>
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="HiddenSearch" layoutPanel="panel_row2_col2">
<param name="search">index="service_monitor" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="hostname">$click.value$</param>
</param>
</param>
<module name="SimpleResultsHeader" layoutPanel="panel_row2_col2">
<param name="entityName">results</param>
<param name="headerFormat">CPU Info in percentage.</param>
</module>
<module name="JobProgressIndicator" />
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</module>
</module>
</module>
When I run this, the intention which is hostname="blash" will only be applied after the hidden search, like below
index="service_monitor" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)" | search *hostname="blash"*
But I am looking for something like below.
index="service_monitor" hostname="blash" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"
Note: Please disregard the search above. Its just an example to show what i am trying to do.
How can I achieve this ? Any advice ?
Thanks in Advance.
KK
Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.
I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo"
onto the end of your stats clause I think.
But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.
<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">| inputlookup address | stats values(address) as device_ip by hostname location model | sort hostname</param>
<module name="JobProgressIndicator" />
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
</module>
<module name="Pager">
<param name="count">25</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="Search" layoutPanel="panel_row2_col2">
<param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
<module name="HTML">
<param name="html"><![CDATA[
<h3>CPU Info in percentage.</h3>
]]></param>
</module>
<module name="JobProgressIndicator" />
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</module>
Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.
I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo"
onto the end of your stats clause I think.
But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.
<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">| inputlookup address | stats values(address) as device_ip by hostname location model | sort hostname</param>
<module name="JobProgressIndicator" />
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
</module>
<module name="Pager">
<param name="count">25</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="Search" layoutPanel="panel_row2_col2">
<param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
<module name="HTML">
<param name="html"><![CDATA[
<h3>CPU Info in percentage.</h3>
]]></param>
</module>
<module name="JobProgressIndicator" />
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</module>
Great! I should add that the $click.searchTerms$ key there -- I think that's only in relatively recent copies of Sideview Utils. If you only have the old version that's on Splunkbase you'll have to use the older key - $click.fields.host$, or the legacy splunk key = $click.value$.
Thanks mate. It worked. Sideviewutil rocks !!!
You can try something like this, instead of the convertToIntention
<module name="Search" layoutPanel="panel_row2_col2">
<param name="search">index="service_monitor" hostname=$click.value$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
</module>
Usually intention will be applied as below.
index="cds_service_monitor_engine" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | search hostname="blash" | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"
By using the reporting command table, intention will move.
index="cds_service_monitor_engine" hostname="blash" | table web_get_requests | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"
Above trick did'nt work. however I found a work around. The converttointention always will be applied just before the reporting command. So use any possible reporting command, where the intention needs to be applied.
As I said the above search string was a sample. here is a near actual one.
index="service_monitor" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"
You'll have to play around with the different $click.value$ options to get the correct column value from the row the user is clicking on.