- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Drilldown not working with Join Command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out how to create monthly buckets using the join command, but now I cannot drilldown into my results. Can someone help me figure out how to rewrite my query or enable drilldowns using the join command?
Splunk Error Message
Encountered an unexpected error while parsing intentions.
PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'join' command.
Query
index="myIndex" host=myHost daysago=30 | stats Count as 30Days by username | join username [search index="myIndex" host=myHost daysago=60 | stats Count as 60Days by username] | join username [search index="myIndex" host=myHost daysago=90 | stats Count as 90Days by username] | join username [search index="myIndex" host=myHost daysago=120 | stats Count as 120Days by username]|fields username, 30Days, 60Days, 90Days, 120Days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.
After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:
The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to work around this limitation, I had to leverage Sideview Utils Redirector component to build a custom search url to support the drill down behavior. The other gotcha was creating event types for each join duration type so that the drill down could filter by the proper bucket.
After removing the default ConvertToDrilldownSearch module, here is the stub of the Redirector:
The biggest let down of using the splunk markup is that their is no easy way to do conditionals inside a param - or performing an inline evaluation. Maybe this is just my lack of know-how. I've also learned that ConvertToIntention is completely useless when you need complete control over the search query (e.g. q=search index=myIndex). Stick with SideView Utils Redirector if you need complete search query control.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
