Splunk Dev

DB Connect and ConvertToIntention Problem

vrmerlin
New Member

I’m attempting to make an Advanced XML dashboard that drills down from one chart to another chart. I’ve used a UI Example to get me started.

The first search chart comes up fine. Unfortunately, I can’t get the drilldown search to display any results. I think the nature of my query is causing problems with the ConvertToIntention module. The unusual element in my two searches (top and drilldown) is that it’s a dbquery (i.e. DB Connect).

My first HiddenSearch query contains:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "Fix Version"

This creates a column chart exactly as I want. When the user clicks on a column, it passes the Fix Version to a drilldown search which is in the XML as:

  | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE"

(“[STUFF]” is the same in each search).

When I try that search alone in a search window it seems to behave fine (except that it’s for all Fix Versions). But, when I inspect the drilldown search, Splunk reports it’s trying to do this:

  None | dbquery JIRA limit=1000 "select [STUFF]" | chart count("pkey") by "ASSIGNEE" | search "Fix Version"="13.3.0"

And, what I believe I need is this (which in a search window does just what I want):

  | dbquery JIRA limit=1000 "select [STUFF]" | search "Fix Version"="13.3.0" | chart count("pkey") by "ASSIGNEE"

So, the added search term seems to showing up in the wrong place. How can I fix that?

Thanks,
John

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

It sounds like you're using an 'addterm' intention, when here you need a 'stringreplace' intention.

the 'addterm' intention had that behavior where it will ultimately take the argument and try to add it as a simple searchterm in a search clause. And if there is a reporting command involved, addterm will happily tack on a whole other search clause just like that.

the 'stringreplace' intention on the other hand, while a lot harder to work with, is for substituting the given argument into a $foo$ token in the search as specified by a HiddenSearch module.

Incidentally you might want to look at Sideview Utils. It brings in a lot of practical improvements, a lot of which make drilldowns easier to set up and maintain. The most important being that you don't have to use or think about intentions at all anymore - with Sideview Utils you can just plug your arguments right into the $foo$ tokens and skip the messy middle part of fighting with the intention system.

http://sideviewapps.com/apps/sideview-utils

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...