All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Application Context (ui_displatch_app vs. ui_dispatch_view)

memarshall63
Communicator
‎02-25-2020 10:31 AM

Can anyone explain or point to documentation that can explain the ui_displatch_app vs. ui_dispatch_view configuration in savedsearches.conf. I have a search that ultimately results in the line:

| outputlookup creatinapp=true create_empty=false lookup_filename.csv

The saved search is contained in Application_A
The savedsearches.conf also adds the settings:

request.ui_dispatch_app = Application_A
request.ui_dispatch_view = search

I'm not sure why the developer chose 'ui_dispatch_view = search' but the lookup file (lookup_filename.csv) seems to randomly end up in either Application_A/lookups or search/lookups directories. I thought at first that this was the difference between the job being scheduled, and the job being executed by hand. But, maybe that's just a mirage.

The .spec file says this:

request.ui_dispatch_app  = <string>
* Specifies a field used by Splunk UI to denote the app that this search should be dispatched in.
* Default: empty string

request.ui_dispatch_view = <string>
* Specifies a field used by Splunk UI to denote the view this search should be displayed in.
* Default: empty string

I guess I don't understand the difference between an 'app' and a 'view', and neither of those would seem to relate to a outputlookup command.

I'd appreciate the help.

Tags (1)
0 Karma
Reply

memarshall63
Communicator
‎02-26-2020 10:25 AM

More details:

The key 'requirement' here is to create a lookup file in the same 'app/lookups' directory. I thought that manipulating these values might do that -- but I'm finding that these settings don't seem to have any reliable impact.

At the end of the day -- if you run 

|outputlookup lookup_file.csv

in a search, because the "createinapp' parameter has a default of 'true' -- the outlook file will be created in the lookups folder in the app where the search is running -- NOT in the app where the search is defined.

If you run

|outputlookup createinapp=false lookup_file.csv

in a search, the lookup file will end up in ../system/lookups.

I do not see a way to force a lookup file to end up in a specific applications lookups directory. Anyone have any solutions for that?

0 Karma
Reply

memarshall63
Communicator
‎03-10-2020 12:21 PM

I'm adding this as a separate question...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...