I'm doing a search with SideviewUtils and return a table. I want to kick off a new search using a variable that the user clicks on in the table results. Is this possible? PostProcess doesn't seem like what I want because I don't want the results based off of the first search. In the example below I'd like to search on the value of qid from the first search and the text msgid.
Sorry if this is a dumb question as I'm new to Splunk. Thanks.
Here's a simple "inline drilldown" example for you, where the user can enter an address in the textfield and hit return. Then a table of times, to addresses, hosts and qid's appears. Then the user can click on a row to search for the given qid associated with that "to".
<module name="TextField" layoutpanel="panel_row1_col1">
<param name="name">to</param>
<param name="label">To Address</param>
<module name="Search">
<param name="search">host=smtphost* $to$.procmail ctladdr | table _time,to,host,qid | sort -_time</param>
<module name="Pager">
<module name="Table">
<module name="Search">
<param name="search">$to$ $row.fields.qid$</param>
<module name="Pager">
<module name="Table">
</module>
</module>
</module>
</module>
</module>
</module>
</module>
There are some other things you might want, like a green submit button (stitch a Button module in after the first Search and before the first Pager) or a JobProgressIndicator (put <module name="JobProgressIndicator"></module>
before the first Pager).
And if this still seems like black magic to you, read through the "Introduction to the Advanced XML" in Sideview Utils. And make sure you're on the latest version of the app too (3.1.1).
And once you have the latest, There are two pages full of docs and working examples for "inline drilldown". "Key Techniques > Inline Drilldown"
Here's a simple "inline drilldown" example for you, where the user can enter an address in the textfield and hit return. Then a table of times, to addresses, hosts and qid's appears. Then the user can click on a row to search for the given qid associated with that "to".
<module name="TextField" layoutpanel="panel_row1_col1">
<param name="name">to</param>
<param name="label">To Address</param>
<module name="Search">
<param name="search">host=smtphost* $to$.procmail ctladdr | table _time,to,host,qid | sort -_time</param>
<module name="Pager">
<module name="Table">
<module name="Search">
<param name="search">$to$ $row.fields.qid$</param>
<module name="Pager">
<module name="Table">
</module>
</module>
</module>
</module>
</module>
</module>
</module>
There are some other things you might want, like a green submit button (stitch a Button module in after the first Search and before the first Pager) or a JobProgressIndicator (put <module name="JobProgressIndicator"></module>
before the first Pager).
And if this still seems like black magic to you, read through the "Introduction to the Advanced XML" in Sideview Utils. And make sure you're on the latest version of the app too (3.1.1).
And once you have the latest, There are two pages full of docs and working examples for "inline drilldown". "Key Techniques > Inline Drilldown"
Good idea. I figured it out. I was not using
so Splunk was using the time range of latest indexed event. Once I added the params to set the search time it worked great. Thanks again!
I would throw these into the view at sensible points to debug what exact search it's running.
<module name="HTML">
<param name="html">$search$</param>
</module>
It'll just spit out whatever the current search string is. Basically if you're getting 'no results found' it means the search isn't finding any results, which means some assumption about the searches is off. You can debug by pasting the search strings into the default search view and investigating why it could sometimes return zero results.
Thank you that was helpful. I was able to pass qid with $row.fields.qid$. What's odd is that I get "No Results found" sometimes and other times I get the correct data. If I manually paste the search in a new search window I always get correct data. Any idea why it would behave differently? I'm looking at the inline drilldown docs now trying to find out why. Thank you.