Splunk Search

click a table using converttointention

KarunK
Contributor

Hi All,

I am creating a dashboard with a table, which when clicked will open another chart in the same dashboard depending on the click value. I am using a covertTointention for this. But this not behaving as i wanted it to be. Following is the setting i am using.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
   <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>
   <module name="JobProgressIndicator" />
   <module name="EnablePreview">
      <param name="enable">True</param>
      <param name="display">False</param>
      <module name="Paginator">
         <param name="count">25</param>
         <param name="entityName">results</param>
         <param name="maxPages">10</param>
         <module name="SimpleResultsTable">
            <param name="drilldown">row</param>
            <param name="entityName">results</param>
            <module name="HiddenSearch" layoutPanel="panel_row2_col2">
               <param name="search">index="service_monitor"  | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
               <module name="ConvertToIntention">
                  <param name="intention">
                     <param name="name">addterm</param>
                     <param name="arg">
                        <param name="hostname">$click.value$</param>
                     </param>
                  </param>
                  <module name="SimpleResultsHeader" layoutPanel="panel_row2_col2">
                     <param name="entityName">results</param>
                     <param name="headerFormat">CPU Info in percentage.</param>
                  </module>
                  <module name="JobProgressIndicator" />
                  <module name="SimpleResultsTable" />
               </module>
            </module>
         </module>
      </module>
   </module>
</module>

When I run this, the intention which is hostname="blash" will only be applied after the hidden search, like below

index="service_monitor" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)" | search *hostname="blash"*

But I am looking for something like below.

index="service_monitor" hostname="blash" | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"

Note: Please disregard the search above. Its just an example to show what i am trying to do.

How can I achieve this ? Any advice ?

Thanks in Advance.

KK

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.

I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo" onto the end of your stats clause I think.

But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module> 

  <module name="Pager">
    <param name="count">25</param>

    <module name="SimpleResultsTable">
      <param name="drilldown">row</param>
      <param name="entityName">results</param>

      <module name="Search" layoutPanel="panel_row2_col2">
        <param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>

        <module name="HTML">
          <param name="html"><![CDATA[
          <h3>CPU Info in percentage.</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="SimpleResultsTable" />
      </module>
    </module>
  </module>
</module>

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well you're already using Sideview Utils because you're using the Sideview Search module up at the top. So it's a little strange that you're still using the intentions system here at all. Sideview utils adds a lot of improvements and one of the bigger ones is that you pretty much don't have to use or even think about intentions anymore.

I think if you were to stick with using intentions, there's also a problem that you're using the addterm intention, whereas here you probably need the stringreplace intention. the addterm here is just going to tack a hostname="foo" onto the end of your stats clause I think.

But the best answer I think is to more fully utilize the Sideview modules. Here's the same config but partially rewritten.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| inputlookup address  | stats values(address) as device_ip by hostname location model | sort hostname</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module> 

  <module name="Pager">
    <param name="count">25</param>

    <module name="SimpleResultsTable">
      <param name="drilldown">row</param>
      <param name="entityName">results</param>

      <module name="Search" layoutPanel="panel_row2_col2">
        <param name="search">index="service_monitor" $click.searchTerms$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>

        <module name="HTML">
          <param name="html"><![CDATA[
          <h3>CPU Info in percentage.</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="SimpleResultsTable" />
      </module>
    </module>
  </module>
</module>

sideview
SplunkTrust
SplunkTrust

Great! I should add that the $click.searchTerms$ key there -- I think that's only in relatively recent copies of Sideview Utils. If you only have the old version that's on Splunkbase you'll have to use the older key - $click.fields.host$, or the legacy splunk key = $click.value$.

0 Karma

KarunK
Contributor

Thanks mate. It worked. Sideviewutil rocks !!!

0 Karma

aholzer
Motivator

You can try something like this, instead of the convertToIntention

<module name="Search" layoutPanel="panel_row2_col2">
  <param name="search">index="service_monitor" hostname=$click.value$ | stats max(cpu_avg) AS "CPU Usage (Avg)", sparkline(max(cpu_avg)) as "Trend CPU Usage (Avg)"</param>
</module>
0 Karma

KarunK
Contributor

Usually intention will be applied as below.

index="cds_service_monitor_engine" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | search hostname="blash" | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

By using the reporting command table, intention will move.

index="cds_service_monitor_engine" hostname="blash" | table web_get_requests | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

0 Karma

KarunK
Contributor

Above trick did'nt work. however I found a work around. The converttointention always will be applied just before the reporting command. So use any possible reporting command, where the intention needs to be applied.

As I said the above search string was a sample. here is a near actual one.

index="service_monitor" | delta web_get_requests as delta_web_get p=1 | eval abs_web_get=abs(delta_web_get) | stats max(abs_web_get) as Web_get_req sparkline(max(abs_web_get)) as "Trend Web_get_req"

0 Karma

aholzer
Motivator

You'll have to play around with the different $click.value$ options to get the correct column value from the row the user is clicking on.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...