- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Drilldown search operators out of order
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a simple dashboard which displays two bar charts, such as the one below:
<chart>
<searchName>Errors over Host</searchName>
<title>Errors by Test Host</title>
<option name="drilldown">all</option>
</chart>
Here is the saved search:
index="app" sourcetype="wresults" errors>0 OR failures>0 | chart sum(errors), sum(failures) over host
However when I try to drilldown, the search terms are jumbled and I don't get the results I'm expecting because of a misplaced "OR". Here is the resulting search string when I click on host "apptest01":
errors>0 failures>0 index="app" sourcetype="wresults" OR host="apptest01"
I'm running Windows x64 version 4.1.5. How can I ensure that the original search string is preserved in the drilldown?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a cheap trick, I would try wrapping the errors OR failures terms in their own parens.
( errors>0 OR failures>0 )
That might make the busted decomposition code take notice that it's dealing with a clause rather than just a jumble of terms.
If that doesnt work you could disable addterm decomposition by putting this:
disabled_decomposers = addterm,addtermgt,addtermlt
into the [settings] stanza of etc/system/local/web.conf
more details: the table and chart drilldown code in the UI is fine. The 'drilldown' intention is actually fine too. What's happening is that when you load the new ?q=<your search> URL in the browser Splunk tries to 'decompose' the search into intentions and this can be quite spotty. I dont use this part of the Splunk UI anymore, having written a number of custom modules to provide easier and more sensible permalinking. I have an app to package this stuff as well as document it and I should have that app up on splunkbase in the next week or two.
UPDATE - My bad. I directed you to disable only the 'addterm' decomposition, but you also need to disable addtermgt (and I'd disable addtermlt for good measure)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I couldn't do anything to preserve the original search, but I was able to get rid of the "OR" operator by using an eval expression to populate a single search field and this worked:
index="app" sourcetype="wresults" | eval fail = if(errors>0 OR failures>0, "Failed", "OK") | search fail=Failed | chart sum(errors), sum(failures) over host
The resulting drilldown search is identical to the original with the addition of the "host" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a cheap trick, I would try wrapping the errors OR failures terms in their own parens.
( errors>0 OR failures>0 )
That might make the busted decomposition code take notice that it's dealing with a clause rather than just a jumble of terms.
If that doesnt work you could disable addterm decomposition by putting this:
disabled_decomposers = addterm,addtermgt,addtermlt
into the [settings] stanza of etc/system/local/web.conf
more details: the table and chart drilldown code in the UI is fine. The 'drilldown' intention is actually fine too. What's happening is that when you load the new ?q=<your search> URL in the browser Splunk tries to 'decompose' the search into intentions and this can be quite spotty. I dont use this part of the Splunk UI anymore, having written a number of custom modules to provide easier and more sensible permalinking. I have an app to package this stuff as well as document it and I should have that app up on splunkbase in the next week or two.
UPDATE - My bad. I directed you to disable only the 'addterm' decomposition, but you also need to disable addtermgt (and I'd disable addtermlt for good measure)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. Yea that makes sense. The decomposition was causing the bug. The parens were just a wacky idea to try and workaround the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should add - I did not need to add parens with the config change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disabling all three did fix it. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry - i was wrong - I should have said disable addterm, addtermgt and addtermlt. Not just addterm. If you disable all three i think it'll work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried both of those suggestions and they all resulted in slightly different search strings, but none worked. Using parens always resulted in an invalid expression, whereas the other configs gave valid expressions, just not the correct ones.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
