Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Advanced XML Form Search Problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nrelihan
Explorer
12-19-2011
05:11 AM
Has anybody found a fix to convert a form search from simple to advanced XML? I get the following error when I convert it via ?showsource=1
"PARSER: Applying intentions failed 'unicode' object has no attribute 'get'"
I then tried the "fixes" that were supplied on this forum with no luck.
1. Adding "
I tested these fixes on a simple test form search that is created when you create an new app, incase it was related to my code. So the issues seems to be purely down to incorrect translation from simple to advanced xml.
If any Splunk developer is listening can you please post the correct translation?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drainy
Champion
12-19-2011
06:37 AM
How about;
<module name="HiddenSearch" layoutPanel="viewHeader">
<param name="search">index=sample from="$from$"</param>
<param name="earliest">-12h@h</param>
<param name="latest">-5m@m</param>
<module name="ExtendedFieldSearch">
<param name="replacementMap">
<param name="arg">
<param name="from"/>
</param>
</param>
<param name="field">from</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="from">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<param name="label">Search</param>
<module name="JobStatus">
<module name="EnablePreview" layoutPanel="panel_row1_col1">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="count">20</param>
<param name="drilldown">row</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
If it works then don't forget to accept this as the right answer 🙂
If it doesn't then leave a comment with any errors etc you may have (Obviously the above is missing the view, label and header fields)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nrelihan
Explorer
12-19-2011
06:52 AM
Hey Draineh, I'll try that now. I got it working just there also (by copying an existing app).
Thanks.
<module name="ExtendedFieldSearch">
<param name="label">from</param>
<param name="field">from</param>
<param name="replacementMap">
<param name="arg">
<param name="from">
<param name="value"></param>
</param>
</param>
</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="from">
<param name="default"></param>
<param name="fillOnEmpty">false</param>
</param>
</param>
</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drainy
Champion
12-19-2011
06:37 AM
How about;
<module name="HiddenSearch" layoutPanel="viewHeader">
<param name="search">index=sample from="$from$"</param>
<param name="earliest">-12h@h</param>
<param name="latest">-5m@m</param>
<module name="ExtendedFieldSearch">
<param name="replacementMap">
<param name="arg">
<param name="from"/>
</param>
</param>
<param name="field">from</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="from">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<param name="label">Search</param>
<module name="JobStatus">
<module name="EnablePreview" layoutPanel="panel_row1_col1">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="count">20</param>
<param name="drilldown">row</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
If it works then don't forget to accept this as the right answer 🙂
If it doesn't then leave a comment with any errors etc you may have (Obviously the above is missing the view, label and header fields)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nrelihan
Explorer
12-19-2011
05:29 AM
<module name="ExtendedFieldSearch">
<param name="replacementMap">
<param name="arg">
<param name="from"/>
</param>
</param>
<param name="field">from</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="from">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drainy
Champion
12-19-2011
05:24 AM
From memory I couldn't tell you but if you could post your new advanced xml I could probably fix it fairly quickly
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
