All Apps and Add-ons

HOW:Pass a variable to a new search with SideviewUtils

kragel
Path Finder

I'm doing a search with SideviewUtils and return a table. I want to kick off a new search using a variable that the user clicks on in the table results. Is this possible? PostProcess doesn't seem like what I want because I don't want the results based off of the first search. In the example below I'd like to search on the value of qid from the first search and the text msgid.

Sorry if this is a dumb question as I'm new to Splunk. Thanks.


to_address

host=smtphost* $to_address$.procmail ctladdr | table _time,to,host,qid | sort -_time


"qid" msgid

1 Solution

sideview
SplunkTrust
SplunkTrust

Here's a simple "inline drilldown" example for you, where the user can enter an address in the textfield and hit return. Then a table of times, to addresses, hosts and qid's appears. Then the user can click on a row to search for the given qid associated with that "to".

<module name="TextField" layoutpanel="panel_row1_col1">
  <param name="name">to</param>
  <param name="label">To Address</param>

  <module name="Search">
    <param name="search">host=smtphost* $to$.procmail ctladdr | table _time,to,host,qid | sort -_time</param>

    <module name="Pager">
      <module name="Table">

        <module name="Search">
          <param name="search">$to$ $row.fields.qid$</param>

          <module name="Pager">
            <module name="Table">
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

There are some other things you might want, like a green submit button (stitch a Button module in after the first Search and before the first Pager) or a JobProgressIndicator (put <module name="JobProgressIndicator"></module> before the first Pager).

And if this still seems like black magic to you, read through the "Introduction to the Advanced XML" in Sideview Utils. And make sure you're on the latest version of the app too (3.1.1).

And once you have the latest, There are two pages full of docs and working examples for "inline drilldown". "Key Techniques > Inline Drilldown"

http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Here's a simple "inline drilldown" example for you, where the user can enter an address in the textfield and hit return. Then a table of times, to addresses, hosts and qid's appears. Then the user can click on a row to search for the given qid associated with that "to".

<module name="TextField" layoutpanel="panel_row1_col1">
  <param name="name">to</param>
  <param name="label">To Address</param>

  <module name="Search">
    <param name="search">host=smtphost* $to$.procmail ctladdr | table _time,to,host,qid | sort -_time</param>

    <module name="Pager">
      <module name="Table">

        <module name="Search">
          <param name="search">$to$ $row.fields.qid$</param>

          <module name="Pager">
            <module name="Table">
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

There are some other things you might want, like a green submit button (stitch a Button module in after the first Search and before the first Pager) or a JobProgressIndicator (put <module name="JobProgressIndicator"></module> before the first Pager).

And if this still seems like black magic to you, read through the "Introduction to the Advanced XML" in Sideview Utils. And make sure you're on the latest version of the app too (3.1.1).

And once you have the latest, There are two pages full of docs and working examples for "inline drilldown". "Key Techniques > Inline Drilldown"

http://sideviewapps.com/apps/sideview-utils

0 Karma

kragel
Path Finder

Good idea. I figured it out. I was not using

-2d
now

so Splunk was using the time range of latest indexed event. Once I added the params to set the search time it worked great. Thanks again!

0 Karma

sideview
SplunkTrust
SplunkTrust

I would throw these into the view at sensible points to debug what exact search it's running.

<module name="HTML">
  <param name="html">$search$</param>
</module>

It'll just spit out whatever the current search string is. Basically if you're getting 'no results found' it means the search isn't finding any results, which means some assumption about the searches is off. You can debug by pasting the search strings into the default search view and investigating why it could sometimes return zero results.

0 Karma

kragel
Path Finder

Thank you that was helpful. I was able to pass qid with $row.fields.qid$. What's odd is that I get "No Results found" sometimes and other times I get the correct data. If I manually paste the search in a new search window I always get correct data. Any idea why it would behave differently? I'm looking at the inline drilldown docs now trying to find out why. Thank you.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...