Dashboards & Visualizations

Advanced XML Form Search Problem

nrelihan
Explorer

Has anybody found a fix to convert a form search from simple to advanced XML? I get the following error when I convert it via ?showsource=1
"PARSER: Applying intentions failed 'unicode' object has no attribute 'get'"
I then tried the "fixes" that were supplied on this forum with no luck.
1. Adding ""
2. Swapping the param modules.

I tested these fixes on a simple test form search that is created when you create an new app, incase it was related to my code. So the issues seems to be purely down to incorrect translation from simple to advanced xml.
If any Splunk developer is listening can you please post the correct translation?

Thanks.

0 Karma
1 Solution

Drainy
Champion

How about;

  <module name="HiddenSearch" layoutPanel="viewHeader">
    <param name="search">index=sample from="$from$"</param>
    <param name="earliest">-12h@h</param>
    <param name="latest">-5m@m</param>
    <module name="ExtendedFieldSearch">
      <param name="replacementMap">
        <param name="arg">
          <param name="from"/>
        </param>
      </param>
      <param name="field">from</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
          <param name="from">
            <param name="fillOnEmpty">True</param>
          </param>
        </param>
      </param>
      <module name="SubmitButton">
        <param name="allowSoftSubmit">True</param>
        <param name="label">Search</param>
        <module name="JobStatus">
          <module name="EnablePreview" layoutPanel="panel_row1_col1">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="SimpleResultsTable">
              <param name="count">20</param>
              <param name="drilldown">row</param>
              <param name="allowTransformedFieldSelect">True</param>
              <module name="ConvertToDrilldownSearch">
                <module name="ViewRedirector">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
            <module name="ViewRedirectorLink">
              <param name="viewTarget">flashtimeline</param>
            </module>
          </module>
        </module>
      </module>
    </module>

If it works then don't forget to accept this as the right answer 🙂

If it doesn't then leave a comment with any errors etc you may have (Obviously the above is missing the view, label and header fields)

View solution in original post

0 Karma

nrelihan
Explorer

Hey Draineh, I'll try that now. I got it working just there also (by copying an existing app).
Thanks.

<module name="ExtendedFieldSearch">
                    <param name="label">from</param>
                    <param name="field">from</param>
    <param name="replacementMap">
      <param name="arg">
        <param name="from">
      <param name="value"></param>
   </param>
     </param>
        </param>
            <param name="intention">
               <param name="name">stringreplace</param>
                 <param name="arg">
                  <param name="from">
                    <param name="default"></param>
                      <param name="fillOnEmpty">false</param>
           </param>
               </param>
                 </param>
0 Karma

Drainy
Champion

How about;

  <module name="HiddenSearch" layoutPanel="viewHeader">
    <param name="search">index=sample from="$from$"</param>
    <param name="earliest">-12h@h</param>
    <param name="latest">-5m@m</param>
    <module name="ExtendedFieldSearch">
      <param name="replacementMap">
        <param name="arg">
          <param name="from"/>
        </param>
      </param>
      <param name="field">from</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
          <param name="from">
            <param name="fillOnEmpty">True</param>
          </param>
        </param>
      </param>
      <module name="SubmitButton">
        <param name="allowSoftSubmit">True</param>
        <param name="label">Search</param>
        <module name="JobStatus">
          <module name="EnablePreview" layoutPanel="panel_row1_col1">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="SimpleResultsTable">
              <param name="count">20</param>
              <param name="drilldown">row</param>
              <param name="allowTransformedFieldSelect">True</param>
              <module name="ConvertToDrilldownSearch">
                <module name="ViewRedirector">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
            <module name="ViewRedirectorLink">
              <param name="viewTarget">flashtimeline</param>
            </module>
          </module>
        </module>
      </module>
    </module>

If it works then don't forget to accept this as the right answer 🙂

If it doesn't then leave a comment with any errors etc you may have (Obviously the above is missing the view, label and header fields)

0 Karma

nrelihan
Explorer


index=sample from="$from$"

<module name="ExtendedFieldSearch">
  <param name="replacementMap">
    <param name="arg">
      <param name="from"/>
    </param>
  </param>
  <param name="field">from</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="from">
        <param name="fillOnEmpty">True</param>
      </param>
    </param>
  </param>
0 Karma

Drainy
Champion

From memory I couldn't tell you but if you could post your new advanced xml I could probably fix it fairly quickly

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...