Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect and ConvertToIntention Problem

vrmerlin
New Member
‎04-29-2013 01:26 PM

I’m attempting to make an Advanced XML dashboard that drills down from one chart to another chart. I’ve used a UI Example to get me started.

The first search chart comes up fine. Unfortunately, I can’t get the drilldown search to display any results. I think the nature of my query is causing problems with the ConvertToIntention module. The unusual element in my two searches (top and drilldown) is that it’s a dbquery (i.e. DB Connect).

My first HiddenSearch query contains:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "Fix Version"

This creates a column chart exactly as I want. When the user clicks on a column, it passes the Fix Version to a drilldown search which is in the XML as:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE"

(“[STUFF]” is the same in each search).

When I try that search alone in a search window it seems to behave fine (except that it’s for all Fix Versions). But, when I inspect the drilldown search, Splunk reports it’s trying to do this:

  None | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE" | search "Fix Version"="13.3.0"

And, what I believe I need is this (which in a search window does just what I want):

  | dbquery JIRA limit=1000 "select [STUFF]" | search "Fix Version"="13.3.0" | chart count("pkey") by "ASSIGNEE"

So, the added search term seems to showing up in the wrong place. How can I fix that?

Thanks,
John

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-29-2013 07:16 PM

It sounds like you're using an 'addterm' intention, when here you need a 'stringreplace' intention.

the 'addterm' intention had that behavior where it will ultimately take the argument and try to add it as a simple searchterm in a search clause. And if there is a reporting command involved, addterm will happily tack on a whole other search clause just like that.

the 'stringreplace' intention on the other hand, while a lot harder to work with, is for substituting the given argument into a $foo$ token in the search as specified by a HiddenSearch module.

Incidentally you might want to look at Sideview Utils. It brings in a lot of practical improvements, a lot of which make drilldowns easier to set up and maintain. The most important being that you don't have to use or think about intentions at all anymore - with Sideview Utils you can just plug your arguments right into the $foo$ tokens and skip the messy middle part of fighting with the intention system.

http://sideviewapps.com/apps/sideview-utils

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...