topic Re: Override basesearch saved search with timerange token and convert to inline in Dashboards & Visualizations

Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 16:46:12 GMT

Hi
I like the simple xml post process and how fast it is when filtering data on a savedsearch.

However, on my dashboard, sometimes i want to override the saved search and expand the time range.

Is there any way to override saved search timerange and execute an inline search on the basesearch? This view is using simple xml postprocess and timerange button. Can a time token manually override the basesearch query?

fieldset submitButton="false">
    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>

     <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>

  </fieldset>
      <search id="BaseSearch1" ref="ALERTcht"></search>
  <row>
    <panel>

      <table>
        <title>TEST</title>
        <search base="BaseSearch1">
          <query>
            <![CDATA[| search host="*$FindHost$*" ]]>
          </query>
        </search>
        <option name="displayRowNumbers">true</option>
        <option name="height">300px</option>
        <option name="wrap">false</option>
        <option name="earliest">$field1$</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">100</option>
        <option name="refresh.auto.interval">300</option>
        <format type="sparkline" field="TREND">
          <option name="type">bar</option>
          <option name="height">20px</option>
          <!-- Use colorMap to map specific values to selected colors -->
          <option name="colorMap">
            <option name="1:">#FF0000</option>
            <option name=":0">#9ac23c</option>
          </option>
          <option name="barWidth">5px</option>
        </format>
      </table>
    </panel>
  </row>
  <row>

Re: Override basesearch saved search with timerange token and convert to inline

somesoni2 — Wed, 28 Sep 2016 17:35:20 GMT

It can. Just update the base search portion with this

Replace

 <search id="BaseSearch1" ref="ALERTcht"></search>

With

 <search id="BaseSearch1" ref="ALERTcht">
    <earliest>$field1.earliest$</earliest>
    <latest><$field1.latest$</latest>
</search>

Re: Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 18:15:20 GMT

Thanks -

Good news: is it makes the panels refresh when i choose a time.

Bad news: The charts still display the time defined in the 'Start time' and 'Finish time' under 'Time range' settings in the saved search form.

The underlying query in the saved search does not have earliest=-1h@h latest=now

<fieldset submitButton="false">

    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>


    <input type="time" token="field1">
      <label>Timerange Under Development</label>
    </input>    
  </fieldset>  


  <search id="BaseSearch1" ref="ALERTcht">
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>  
  </search>

Re: Override basesearch saved search with timerange token and convert to inline

somesoni2 — Wed, 28 Sep 2016 18:54:23 GMT

Ok.. Lets try another option. Update your base search with this now.

 <search id="BaseSearch1" >
<query>| savedsearch  ALERTcht </query>
     <earliest>$field1.earliest$</earliest>
     <latest><$field1.latest$</latest>
 </search>

Re: Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 19:26:17 GMT

That works, however the default savedsearch is "waiting for input" until timerange is selected. Its no longer instantly loading the savedsearch history.

   <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest></earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <search id="BaseSearch1" ref="ALERTcht">
    <query>| savedsearch ALERTcht</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>

Re: Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 19:29:10 GMT

standby, it might be working properly. testing.

Re: Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 20:39:29 GMT

I don't think its using the scheduled search history - I'll live with it for now.

Re: Override basesearch saved search with timerange token and convert to inline

somesoni2 — Wed, 28 Sep 2016 20:56:59 GMT

It won't. ALso, if you're looking for flexibility to change the time range, the historical run wouldn't be useful anyways.

Re: Override basesearch saved search with timerange token and convert to inline

subtrakt — Wed, 28 Sep 2016 21:24:33 GMT

Understood...

The idea would be to have the dashboard refresh every 5 minutes in monitor mode by using the scheduled search history. And if a user changes the timerange selector it goes into inline mode.

I guess I could have two dashboards, one for monitoring and one for historical research..

Either way, appreciate your help.