All Apps and Add-ons

Realtime search from link

tmurray3
Path Finder

I am trying to figure out to run a realtime search after selecting a link in a results table. Basically, I want the search to be defined as "sourcetype=XXX host=XXX" and the earliest time value set to rt-5 (Realtime search). The sourcetype and host are dynamic fields which could be updated based on the link selected in the results table.

I tried to use the Sideview utils Redirector to call the flashtimeline with my search term. The search term runs, but the timerange is set to all time. I can't figure out how to get the timerange set to real-time when calling from the Redirector.

<module name="Redirector" layoutPanel="panel_row3_col1">
      <param name="url">flashtimeline</param>
      <param name="arg.q">sourcetype=top host= click.value$</param>
      <param name="popup">true</param>
</module>

To get around this problem, I saved a search with the realtime time values set. Then created a macro to allow for me to pass in the sourcetype and host name.

<module name="Redirector" layoutPanel="panel_row3_col1">
      <param name="url">flashtimeline</param>
       <param name="arg.q">savedsearch="HostRealtimeSearch" `rtSearch(sourcetype=top,host=$click.value$)`</param>
      <param name="popup">true</param>
</module>

The search field is populated with the following after clicking the link:
savedsearch="HostRealtimeSearch" rtSearch(sourcetype=top,host=localhost.localdomain)

However, there is an error stating "Error in 'savedsearch' comand: Option'=HostRealtimeSearch' is invalid.

If I run the above query in the search field directly, it works. But when it is passed by the Redirector with the ?q option it fails with the aforementioned error.

Any ideas, on how I can run a realtime search with the ability to pass the sourcetype and host dynamically?

Thanks in advance for your help!!!!

0 Karma

sideview
SplunkTrust
SplunkTrust

I need to add this to the Sideview Utils documentation, but it's quite easy. You just give Redirector an earliest key and a latest key, just like you give it a 'q' key.

If you want to pass a specific timerange, then you would just use "rt-5m" and "rt" as your values, like so:

<module name="Redirector" layoutPanel="panel_row3_col1">
      <param name="url">flashtimeline</param>
      <param name="arg.q">sourcetype=top host= click.value$</param>
      <param name="arg.earliest">rt-5m</param>
      <param name="arg.latest">rt</param>
      <param name="popup">true</param>
</module>

and if you want it to pass along whatever the currently selected timerange is, whether it's from a TimeRangePicker module, or from a timechart bar that the user might have clicked on above, you would do this:

<module name="Redirector" layoutPanel="panel_row3_col1">
      <param name="url">flashtimeline</param>
      <param name="arg.q">sourcetype=top host= click.value$</param>
      <param name="arg.earliest">$search.timeRange.earliest$</param>
      <param name="arg.latest">$search.timeRange.earliest$</param>
      <param name="popup">true</param>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

Note: coming in the next version of Sideview Utils (1.2) I have added some more examples and more documentation to the linking page to cover this. It'll be up in a few days.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...