All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Intentions in drilldown module

mohankesireddy
Path Finder
‎07-25-2013 01:16 PM

I am trying to append the click value to the drill down search, it is appending the value first search clause. but i want it to append to the sub search, is there any way to append the click value to the sub search. Below is the code i am using

<?xml version="1.0" encoding="UTF-8"?>








False
1


splunk.search.job
True
1


<!-- COMMON CONTROLS END -->

Last 7 days
True


index=test source=/tmp/ | rex "JSESSIONID.*\s(?<response_time>[\d]+)"|
stats avg(response_time) AS response by X_Forwarded_For |

geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""|
stats avg(response) AS responsetime by X_Forwarded_For_country_name|
where responsetime > 500 |
sort -responsetime


          <module name="HiddenChartFormatter">
            <param name="chart">pie</param>
            <param name="chart.nullValueMode">zero</param>
            <param name="charting.legend.placement">none</param>
            <param name="secondaryAxisTitle.text">Response Time</param>
             <module name="FlashChart">
                       <!-- <module name="ConvertToDrilldownSearch">
            <module name="SimpleResultsTable">
                    </module> -->
    <!-- swap out the search to be a timechart.  -->
    <module name="HiddenSearch">
      <param name="search">
      index=test source=/tmp/* |
        rex "JSESSIONID.*\s(?&lt;response_time&gt; [\d]+)"| 
        stats avg(response_time) AS response by X_Forwarded_For | 
        geoip X_Forwarded_For |
        where X_Forwarded_For_country_name=$click.value$ |
        stats avg(response) AS responsetime by X_Forwarded_For_city |
        where responsetime > 0 
      </param>
      <param name="earliest">-3d</param>
      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
            <param name="X_Forwarded_For_country_name">$click.value$</param>
          </param>
          <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
          <!-- <param name="flags"><list>indexed</list></param> -->
        </param>
        <!-- finally, render the search in another FlashChart, -->
        <!-- and add a JobProgressIndicator for good measure. -->
        <module name="JobProgressIndicator"></module>
        <!-- Use a header to tell the user what they clicked on. -->
        <module name="SimpleResultsHeader">
          <param name="entityName">results</param>
          <param name="headerFormat">
            Response_time for cities in $click.value$
          </param>
        </module> <!-- End SimpleResultsHeader-->

        <module name="HiddenChartFormatter">
          <param name="chart">table</param>
          <param name="primaryAxisTitle.text">Time</param>
          <param name="secondaryAxisTitle.text">events per second</param>
          <param name="legend.placement">none</param>
          <module name="FlashChart">
            <param name="width">100%</param>
            <param name="height">160px</param>
          </module> <!-- End FlashChart-->
        </module> <!-- End HiddenChartFormatter -->
      </module> <!-- End convert to Intention -->
    </module> <!-- End HiddenSearch -->
  </module> <!-- End FlashChart-->
</module> <!-- End HiddenChartFormatter -->

<!-- End HiddenSearch -->


Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-25-2013 04:32 PM

You're using Sideview Utils, but then you're still using pieces of the old core stuff that Sideview Utils makes obsolete, like intentions.

Here is a cleaned up version of the view, converted to replace your HiddenSearch+ConvertToIntention combination with just a Sideview Search module.

This way you don't need intentions, so you don't need to figure out what was wrong with the intentions you were using (btw you needed a stringreplace intention here not an addterm but it doesn't matter. It's way easier just to be consistent and use Sideview Utils techniques since you're already using Sideview stuff elsewhere in the view)

<view template="dashboard.html">
  <label>API Performance</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter"></param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">splunk.search.job</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="URLLoader" layoutPanel="viewHeader" autorun="True">

    <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
      <param name="selected">Last 7 days</param>
      <param name="searchWhenChanged">True</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=test source=/tmp/  | rex "JSESSIONID.*s(?<response_time>[d]+)"| 
          stats avg(response_time) AS response by X_Forwarded_For | 
          geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""| 
          stats avg(response) AS responsetime by X_Forwarded_For_country_name|
          where responsetime > 500  |
          sort -responsetime
        ]]></param>  

        <module name="JobProgressIndicator"></module>  

        <module name="HiddenChartFormatter">
          <param name="chart">pie</param>
          <param name="chart.nullValueMode">zero</param>
          <param name="charting.legend.placement">none</param>
          <param name="secondaryAxisTitle.text">Response Time</param>
          <module name="FlashChart">

            <module name="Search">
              <param name="search"><![CDATA[
              index=test source=/tmp/* |
                rex "JSESSIONID.*\s(?<response_time> [\d]+)"| 
                stats avg(response_time) AS response by X_Forwarded_For | 
                geoip X_Forwarded_For |
                where X_Forwarded_For_country_name=$click.value$ |
                stats avg(response) AS responsetime by X_Forwarded_For_city |
                where responsetime > 0 
              ]]></param>
              <param name="earliest">-3d</param>

              <module name="JobProgressIndicator"></module>
              <module name="HTML">
                <param name="html"><![CDATA[
                  <h3>Response_time for cities in $click.value$</h3>
                ]]></param>
              </module> 

              <module name="HiddenChartFormatter">
                <param name="chart">table</param>
                <param name="primaryAxisTitle.text">Time</param>
                <param name="secondaryAxisTitle.text">events per second</param>
                <param name="legend.placement">none</param>

                <module name="FlashChart">
                  <param name="width">100%</param>
                  <param name="height">160px</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module> 
    </module>
  </module>
</view>

What I did specifically -

  • In your drilldown config you were using a Splunk HiddenSearch module and a Splunk ConvertToIntention module. I replaced both with a single Sideview Search module. Now the $click.value$ token gets plugged right into your subsearch without the help of any intentions.
  • You were using a SimpleResultsHeader module to do something that the Sideview HTML module can do more compactly.
  • You had some attributes specified in the view tag that were set to the defaults. This means deleting them would change nothing so I deleted them. I suspect they were there from a simpleXML conversion long ago - simple XML conversion drags along all kinds of noise like that.
  • beware that your attributes all got lowercased somehow. I suspect this was just from posting the XML. However when they get lowercased like that some attributes will no longer work in Splunk. I think "AutoRun" vs "autorun" makes no difference for some reason, but "layoutpanel" wont work - only "layoutPanel" will work. fyi. This may differ by platform I'm not sure.

And for a fair apples-to-apples comparison, here's what the view looks like, cleaned up but not converted (so don't use this XML because it has the same problem you asked me to solve =). 

<view autocancelinterval="90" isvisible="true" onunloadcanceljobs="true" template="dashboard.html">
  <label>API Performance</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter"></param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">splunk.search.job</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="URLLoader" layoutPanel="viewHeader" autorun="True">

    <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
      <param name="selected">Last 7 days</param>
      <param name="searchWhenChanged">True</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=test source=/tmp/  | rex "JSESSIONID.*s(?<response_time>[d]+)"| 
          stats avg(response_time) AS response by X_Forwarded_For | 
          geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""| 
          stats avg(response) AS responsetime by X_Forwarded_For_country_name|
          where responsetime > 500  |
          sort -responsetime
        ]]></param>  

        <module name="JobProgressIndicator"></module>  

        <module name="HiddenChartFormatter">
          <param name="chart">pie</param>
          <param name="chart.nullValueMode">zero</param>
          <param name="charting.legend.placement">none</param>
          <param name="secondaryAxisTitle.text">Response Time</param>
          <module name="FlashChart">

            <module name="HiddenSearch">
              <param name="search">
              index=test source=/tmp/* |
                rex "JSESSIONID.*\s(?&lt;response_time&gt; [\d]+)"| 
                stats avg(response_time) AS response by X_Forwarded_For | 
                geoip X_Forwarded_For |
                where X_Forwarded_For_country_name=$click.value$ |
                stats avg(response) AS responsetime by X_Forwarded_For_city |
                where responsetime > 0 
              </param>
              <param name="earliest">-3d</param>

              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">addterm</param>
                  <param name="arg">
                    <param name="X_Forwarded_For_country_name">$click.value$</param>
                  </param>
                </param>

                <module name="JobProgressIndicator"></module>

                <module name="SimpleResultsHeader">
                  <param name="entityName">results</param>
                  <param name="headerFormat">
                    Response_time for cities in $click.value$
                  </param>
                </module> 

                <module name="HiddenChartFormatter">
                  <param name="chart">table</param>
                  <param name="primaryAxisTitle.text">Time</param>
                  <param name="secondaryAxisTitle.text">events per second</param>
                  <param name="legend.placement">none</param>

                  <module name="FlashChart">
                    <param name="width">100%</param>
                    <param name="height">160px</param>
                  </module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module> 
    </module>
  </module>
</view>

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-25-2013 04:32 PM

You're using Sideview Utils, but then you're still using pieces of the old core stuff that Sideview Utils makes obsolete, like intentions.

Here is a cleaned up version of the view, converted to replace your HiddenSearch+ConvertToIntention combination with just a Sideview Search module.

This way you don't need intentions, so you don't need to figure out what was wrong with the intentions you were using (btw you needed a stringreplace intention here not an addterm but it doesn't matter. It's way easier just to be consistent and use Sideview Utils techniques since you're already using Sideview stuff elsewhere in the view)

<view template="dashboard.html">
  <label>API Performance</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter"></param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">splunk.search.job</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="URLLoader" layoutPanel="viewHeader" autorun="True">

    <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
      <param name="selected">Last 7 days</param>
      <param name="searchWhenChanged">True</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=test source=/tmp/  | rex "JSESSIONID.*s(?<response_time>[d]+)"| 
          stats avg(response_time) AS response by X_Forwarded_For | 
          geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""| 
          stats avg(response) AS responsetime by X_Forwarded_For_country_name|
          where responsetime > 500  |
          sort -responsetime
        ]]></param>  

        <module name="JobProgressIndicator"></module>  

        <module name="HiddenChartFormatter">
          <param name="chart">pie</param>
          <param name="chart.nullValueMode">zero</param>
          <param name="charting.legend.placement">none</param>
          <param name="secondaryAxisTitle.text">Response Time</param>
          <module name="FlashChart">

            <module name="Search">
              <param name="search"><![CDATA[
              index=test source=/tmp/* |
                rex "JSESSIONID.*\s(?<response_time> [\d]+)"| 
                stats avg(response_time) AS response by X_Forwarded_For | 
                geoip X_Forwarded_For |
                where X_Forwarded_For_country_name=$click.value$ |
                stats avg(response) AS responsetime by X_Forwarded_For_city |
                where responsetime > 0 
              ]]></param>
              <param name="earliest">-3d</param>

              <module name="JobProgressIndicator"></module>
              <module name="HTML">
                <param name="html"><![CDATA[
                  <h3>Response_time for cities in $click.value$</h3>
                ]]></param>
              </module> 

              <module name="HiddenChartFormatter">
                <param name="chart">table</param>
                <param name="primaryAxisTitle.text">Time</param>
                <param name="secondaryAxisTitle.text">events per second</param>
                <param name="legend.placement">none</param>

                <module name="FlashChart">
                  <param name="width">100%</param>
                  <param name="height">160px</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module> 
    </module>
  </module>
</view>

What I did specifically -

  • In your drilldown config you were using a Splunk HiddenSearch module and a Splunk ConvertToIntention module. I replaced both with a single Sideview Search module. Now the $click.value$ token gets plugged right into your subsearch without the help of any intentions.
  • You were using a SimpleResultsHeader module to do something that the Sideview HTML module can do more compactly.
  • You had some attributes specified in the view tag that were set to the defaults. This means deleting them would change nothing so I deleted them. I suspect they were there from a simpleXML conversion long ago - simple XML conversion drags along all kinds of noise like that.
  • beware that your attributes all got lowercased somehow. I suspect this was just from posting the XML. However when they get lowercased like that some attributes will no longer work in Splunk. I think "AutoRun" vs "autorun" makes no difference for some reason, but "layoutpanel" wont work - only "layoutPanel" will work. fyi. This may differ by platform I'm not sure.

And for a fair apples-to-apples comparison, here's what the view looks like, cleaned up but not converted (so don't use this XML because it has the same problem you asked me to solve =). 

<view autocancelinterval="90" isvisible="true" onunloadcanceljobs="true" template="dashboard.html">
  <label>API Performance</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter"></param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">splunk.search.job</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="URLLoader" layoutPanel="viewHeader" autorun="True">

    <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Web Logs by Country">
      <param name="selected">Last 7 days</param>
      <param name="searchWhenChanged">True</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=test source=/tmp/  | rex "JSESSIONID.*s(?<response_time>[d]+)"| 
          stats avg(response_time) AS response by X_Forwarded_For | 
          geoip X_Forwarded_For | where X_Forwarded_For_country_name !=""| 
          stats avg(response) AS responsetime by X_Forwarded_For_country_name|
          where responsetime > 500  |
          sort -responsetime
        ]]></param>  

        <module name="JobProgressIndicator"></module>  

        <module name="HiddenChartFormatter">
          <param name="chart">pie</param>
          <param name="chart.nullValueMode">zero</param>
          <param name="charting.legend.placement">none</param>
          <param name="secondaryAxisTitle.text">Response Time</param>
          <module name="FlashChart">

            <module name="HiddenSearch">
              <param name="search">
              index=test source=/tmp/* |
                rex "JSESSIONID.*\s(?&lt;response_time&gt; [\d]+)"| 
                stats avg(response_time) AS response by X_Forwarded_For | 
                geoip X_Forwarded_For |
                where X_Forwarded_For_country_name=$click.value$ |
                stats avg(response) AS responsetime by X_Forwarded_For_city |
                where responsetime > 0 
              </param>
              <param name="earliest">-3d</param>

              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">addterm</param>
                  <param name="arg">
                    <param name="X_Forwarded_For_country_name">$click.value$</param>
                  </param>
                </param>

                <module name="JobProgressIndicator"></module>

                <module name="SimpleResultsHeader">
                  <param name="entityName">results</param>
                  <param name="headerFormat">
                    Response_time for cities in $click.value$
                  </param>
                </module> 

                <module name="HiddenChartFormatter">
                  <param name="chart">table</param>
                  <param name="primaryAxisTitle.text">Time</param>
                  <param name="secondaryAxisTitle.text">events per second</param>
                  <param name="legend.placement">none</param>

                  <module name="FlashChart">
                    <param name="width">100%</param>
                    <param name="height">160px</param>
                  </module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module> 
    </module>
  </module>
</view>
Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-01-2013 01:59 PM

thanks sideview

0 Karma
Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎07-26-2013 11:34 AM

Thanks sideview, its working... thanks for pointing the issues in my code and also laying out the differences.. I will use the sideview utils instead of the intentions... sideview unitls makes life easier.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...