Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'eval' command (can't drill down in redirected flashtimeline)

the_wolverine
Champion
‎10-12-2012 12:11 PM

I've seen numerous variations of this ERROR in Answers and wanted to post a specific one. I use a query that combines subsearch, eval and duration to generate a dashboard chart.

When a user clicks on the chart, the resulting flashtimeline looks great. However, clicking on any results from the flashtimeline fail (return nothing.)

I realize there is some trick to getting this to work, perhaps with ConvertToIntention but I'm failing to get it to work. My dashboard started as Simple XML and was converted to Advanced XML using the ?showsource=1 trick. I suspect there is some ugliness in the syntax I have from showsource with respect to properly modifying it to get ConvertToIntention to work properly.

Reply

therealdpk
Path Finder
‎10-19-2012 05:12 PM

This one caught me too. This solution makes the click work:

http://splunk-base.splunk.com/answers/60224/parser-applying-intentions-failed-unable-to-drilldown-be...

Specifically, add "table" to the end of the HiddenPostProcess search, with a list of fields you want to display. This may not be all you need (my use requires some additional work because one of the fields is obtained from max(_time), and the result of that changes between display and click), but it solves the specific problem.

Reply

cphair
Builder
‎10-12-2012 02:03 PM

I coded my dashboard from scratch and have the same problem. I opened a support case for it.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...