Dashboards & Visualizations

Drilldown search operators out of order

heathm
Explorer

I have a simple dashboard which displays two bar charts, such as the one below:

<chart>
  <searchName>Errors over Host</searchName>
  <title>Errors by Test Host</title>
  <option name="drilldown">all</option>
</chart>

Here is the saved search:

index="app" sourcetype="wresults" errors>0 OR failures>0 | chart sum(errors), sum(failures) over host

However when I try to drilldown, the search terms are jumbled and I don't get the results I'm expecting because of a misplaced "OR". Here is the resulting search string when I click on host "apptest01":

errors>0 failures>0 index="app" sourcetype="wresults" OR host="apptest01"

I'm running Windows x64 version 4.1.5. How can I ensure that the original search string is preserved in the drilldown?

Thanks

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

As a cheap trick, I would try wrapping the errors OR failures terms in their own parens.

( errors>0 OR failures>0 )

That might make the busted decomposition code take notice that it's dealing with a clause rather than just a jumble of terms.

If that doesnt work you could disable addterm decomposition by putting this:

disabled_decomposers = addterm,addtermgt,addtermlt

into the [settings] stanza of etc/system/local/web.conf

more details: the table and chart drilldown code in the UI is fine. The 'drilldown' intention is actually fine too. What's happening is that when you load the new ?q=<your search> URL in the browser Splunk tries to 'decompose' the search into intentions and this can be quite spotty. I dont use this part of the Splunk UI anymore, having written a number of custom modules to provide easier and more sensible permalinking. I have an app to package this stuff as well as document it and I should have that app up on splunkbase in the next week or two.

UPDATE - My bad. I directed you to disable only the 'addterm' decomposition, but you also need to disable addtermgt (and I'd disable addtermlt for good measure)

View solution in original post

0 Karma

heathm
Explorer

I couldn't do anything to preserve the original search, but I was able to get rid of the "OR" operator by using an eval expression to populate a single search field and this worked:

index="app" sourcetype="wresults" | eval fail = if(errors>0 OR failures>0, "Failed", "OK") | search fail=Failed | chart sum(errors), sum(failures) over host

The resulting drilldown search is identical to the original with the addition of the "host" field.

0 Karma

sideview
SplunkTrust
SplunkTrust

As a cheap trick, I would try wrapping the errors OR failures terms in their own parens.

( errors>0 OR failures>0 )

That might make the busted decomposition code take notice that it's dealing with a clause rather than just a jumble of terms.

If that doesnt work you could disable addterm decomposition by putting this:

disabled_decomposers = addterm,addtermgt,addtermlt

into the [settings] stanza of etc/system/local/web.conf

more details: the table and chart drilldown code in the UI is fine. The 'drilldown' intention is actually fine too. What's happening is that when you load the new ?q=<your search> URL in the browser Splunk tries to 'decompose' the search into intentions and this can be quite spotty. I dont use this part of the Splunk UI anymore, having written a number of custom modules to provide easier and more sensible permalinking. I have an app to package this stuff as well as document it and I should have that app up on splunkbase in the next week or two.

UPDATE - My bad. I directed you to disable only the 'addterm' decomposition, but you also need to disable addtermgt (and I'd disable addtermlt for good measure)

0 Karma

sideview
SplunkTrust
SplunkTrust

Cool. Yea that makes sense. The decomposition was causing the bug. The parens were just a wacky idea to try and workaround the problem.

0 Karma

heathm
Explorer

I should add - I did not need to add parens with the config change.

0 Karma

heathm
Explorer

Disabling all three did fix it. Thanks.

0 Karma

sideview
SplunkTrust
SplunkTrust

Sorry - i was wrong - I should have said disable addterm, addtermgt and addtermlt. Not just addterm. If you disable all three i think it'll work.

0 Karma

heathm
Explorer

I tried both of those suggestions and they all resulted in slightly different search strings, but none worked. Using parens always resulted in an invalid expression, whereas the other configs gave valid expressions, just not the correct ones.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...