Splunk Search

click a table using converttointention

KarunK
Contributor

Hi All,

I am creating a dashboard with a table, which when clicked will open another chart in the same dashboard depending on the click value. I am using a covertTointention for this. But this not behaving as i wanted it to be. Following is the setting i am using.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
   <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>
   <module name="JobProgressIndicator" />
   <module name="EnablePreview">
      <param name="enable">True</param>
      <param name="display">False</param>
      <module name="Paginator">
         <param name="count">25</param>
         <param name="entityName">results</param>
         <param name="maxPages">10</param>
         <module name="SimpleResultsTable">
            <param name="drilldown">row</param>
            <param name="entityName">results</param>
            <module name="HiddenSearch" layoutPanel="panel_row2_col2">
               <param name="search">index="service_monitor"  | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
               <module name="ConvertToIntention">
                  <param name="intention">
                     <param name="name">addterm</param>
                     <param name="arg">
                        <param name="hostname">$click.value$</param>
                     </param>
                  </param>
                  <module name="SimpleResultsHeader" layoutPanel="panel_row2_col2">
                     <param name="entityName">results</param>
                     <param name="headerFormat">CPU Info in percentage.</param>
                  </module>
                  <module name="JobProgressIndicator" />
                  <module name="SimpleResultsTable" />
               </module>
            </module>
         </module>
      </module>
   </module>
</module>

When I run this, the intention which is hostname="blash" will only be applied after the hidden search, like below

index="service_monitor" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)" | search *hostname="blash"*

But I am looking for something like below.

index="service_monitor" hostname="blash" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"

Note: Please disregard the search above. Its just an example to show what i am trying to do.

How can I achieve this ? Any advice ?

Thanks in Advance.

KK

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.

I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo" onto the end of your stats clause I think.

But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module> 

  <module name="Pager">
    <param name="count">25</param>

    <module name="SimpleResultsTable">
      <param name="drilldown">row</param>
      <param name="entityName">results</param>

      <module name="Search" layoutPanel="panel_row2_col2">
        <param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>

        <module name="HTML">
          <param name="html"><![CDATA[
          <h3>CPU Info in percentage.</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="SimpleResultsTable" />
      </module>
    </module>
  </module>
</module>

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.

I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo" onto the end of your stats clause I think.

But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module> 

  <module name="Pager">
    <param name="count">25</param>

    <module name="SimpleResultsTable">
      <param name="drilldown">row</param>
      <param name="entityName">results</param>

      <module name="Search" layoutPanel="panel_row2_col2">
        <param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>

        <module name="HTML">
          <param name="html"><![CDATA[
          <h3>CPU Info in percentage.</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="SimpleResultsTable" />
      </module>
    </module>
  </module>
</module>

sideview
SplunkTrust
SplunkTrust

Great! I should add that the $click.searchTerms$ key there -- I think that's only in relatively recent copies of Sideview Utils. If you only have the old version that's on Splunkbase you'll have to use the older key - $click.fields.host$, or the legacy splunk key = $click.value$.

0 Karma

KarunK
Contributor

Thanks mate. It worked. Sideviewutil rocks !!!

0 Karma

aholzer
Motivator

You can try something like this, instead of the convertToIntention

<module name="Search" layoutPanel="panel_row2_col2">
  <param name="search">index="service_monitor" hostname=$click.value$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
</module>
0 Karma

KarunK
Contributor

Usually intention will be applied as below.

index="cds_service_monitor_engine" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | search hostname="blash" | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

By using the reporting command table, intention will move.

index="cds_service_monitor_engine" hostname="blash" | table web_get_requests | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

0 Karma

KarunK
Contributor

Above trick did'nt work. however I found a work around. The converttointention always will be applied just before the reporting command. So use any possible reporting command, where the intention needs to be applied.

As I said the above search string was a sample. here is a near actual one.

index="service_monitor" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

0 Karma

aholzer
Motivator

You'll have to play around with the different $click.value$ options to get the correct column value from the row the user is clicking on.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...