All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Application Context (ui_displatch_app vs. ui_dispatch_view)

memarshall63
Communicator
‎02-25-2020 10:31 AM

Can anyone explain or point to documentation that can explain the ui_displatch_app vs. ui_dispatch_view configuration in savedsearches.conf. I have a search that ultimately results in the line:

| outputlookup creatinapp=true create_empty=false lookup_filename.csv

The saved search is contained in Application_A
The savedsearches.conf also adds the settings:

request.ui_dispatch_app = Application_A
request.ui_dispatch_view = search

I'm not sure why the developer chose 'ui_dispatch_view = search' but the lookup file (lookup_filename.csv) seems to randomly end up in either Application_A/lookups or search/lookups directories. I thought at first that this was the difference between the job being scheduled, and the job being executed by hand. But, maybe that's just a mirage.

The .spec file says this:

request.ui_dispatch_app  = <string>
* Specifies a field used by Splunk UI to denote the app that this search should be dispatched in.
* Default: empty string

request.ui_dispatch_view = <string>
* Specifies a field used by Splunk UI to denote the view this search should be displayed in.
* Default: empty string

I guess I don't understand the difference between an 'app' and a 'view', and neither of those would seem to relate to a outputlookup command.

I'd appreciate the help.

Tags (1)
0 Karma
Reply

memarshall63
Communicator
‎02-26-2020 10:25 AM

More details:

The key 'requirement' here is to create a lookup file in the same 'app/lookups' directory. I thought that manipulating these values might do that -- but I'm finding that these settings don't seem to have any reliable impact.

At the end of the day -- if you run 

|outputlookup lookup_file.csv

in a search, because the "createinapp' parameter has a default of 'true' -- the outlook file will be created in the lookups folder in the app where the search is running -- NOT in the app where the search is defined.

If you run

|outputlookup createinapp=false lookup_file.csv

in a search, the lookup file will end up in ../system/lookups.

I do not see a way to force a lookup file to end up in a specific applications lookups directory. Anyone have any solutions for that?

0 Karma
Reply

memarshall63
Communicator
‎03-10-2020 12:21 PM

I'm adding this as a separate question...

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...