Solved: PARSER: Applying intentions failed Unable to drill...

anandhim · ‎02-08-2013

Hi,

We are using simple xml dashoboard and recently a user received this error while clicking on one of the charts. I have not been able to reproduce it, but wondering if anybody has seen this error with fillnull command ?

The search string is

  <searchString>

index=XYZ sourcetype=iis_access_log host=pop3web* OR host=popiweb* cm=PROD | eval time_taken=time_taken/1000 | timechart avg(time_taken) by host useother=f limit=100 | fillnull value=0

dart · ‎02-19-2013

It's the post reporting nature of the command that is doing this. Can you rework the search to have the fillnull before like so index=XYZ sourcetype=iis_access_log host=pop3web OR host=popiweb cm=PROD | eval time_taken=time_taken/1000 | fillnull value=0 time_taken | timechart avg(time_taken) by host useother=f limit=100 and does that work?

View solution in original post

dart · ‎02-19-2013

It's the post reporting nature of the command that is doing this. Can you rework the search to have the fillnull before like so index=XYZ sourcetype=iis_access_log host=pop3web OR host=popiweb cm=PROD | eval time_taken=time_taken/1000 | fillnull value=0 time_taken | timechart avg(time_taken) by host useother=f limit=100 and does that work?

dart · ‎02-11-2013

You could override the default drilldown with dynamic drilldown

anandhim · ‎02-11-2013

Unfortunately, we are still on 4.3.4 and will take us time to eval and then upgrade to version 5. I was curious to find the reason when this kind of error would occur so I can reproduce and resolve it.

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'filnull' command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases