I want to show the Drill Down View. When I click on Parent graph, compound string is passed as Parameter to ConvertToIntention. I want to split the clicked value in underlying query. The query is as follows.
index="tougou" sourcetype="network"
| fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second
| eval host_split=(split($host_if$,":"))
| eval host_new=(mvindex(host_split,0))
| search host=host_new
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by host limit=50 useother=f
But when I use $host_if$ which is my parameter from ConvertToIntention, in the eval function it gives following error
PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).
How Can I use the value from ConvertToIntention in eval function, as I have to split that value and get the required parameter for my Dril down view??
Thanks In Advance!
As you've verified, the split can be achieved by quoting the intention.
You should also be able to filter based on value of host_new, by switching search to where...
index="tougou" sourcetype="network"
| fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second
| eval host_split=(split("$host_if$",":"))
| eval host_new=(mvindex(host_split,0))
| where host=host_new
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by host limit=50 useother=f
Since where and eval use the same functions, you can actually combine those evals with the where...
index="tougou" sourcetype="network"
| fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second
| where host=mvindex(split("$host_if$",":"),0)
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by host limit=50 useother=f
In above query my view is by network interfaces. but I want to filter the results by host which is stored in field host_new.
search host="host_new" does not work before timechart command. How to assign value of host_new as host to filter the results.
I have modified the query. I am getting the split value. but I want that value to assign to host before timechart.
The query is as follows
index="tougou" sourcetype="network" | fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second | eval host_value="$host_if$" | eval host_split=(split(host_value,":")) | eval host_new=(mvindex(host_split,0)) | timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by network_interface_name limit=50 useother=f
Can you post your XML w/ the search and ConvertToIntention
Is that the case if you quote "$host_if$" ?