Re: Saved Search links in dasboard

Starlette · ‎10-25-2012

This is a returning question but I wonder whats the best way to handle this in sideview.
So i want to achive an overview of clickable links (saved searches) which render the flashtimeline...(same as rendering them from the menu)

sideview · ‎10-25-2012

Well, I was hoping to have a nice simple answer using the new Multiplexer module, and having it "Multiplex" an HTML module.

However with the need to URL-encode the searchterms and the need to use postProcess to get the other properties, this made it considerably more XML than I expected.

Nonetheless, the Multiplexer + HTML solution is idea #1:

<module name="Search" autoRun="True">
  <param name="search">| rest /servicesNS/admin/search/saved/searches</param>

  <module name="Pager">
    <module name="Multiplexer">
      <param name="field">title</param>
      <module name="PostProcess">
        <param name="search">search title="$name$" | rename search as searchString dispatch.earliest_time as earliest dispatch.latest_time as latest | eval earliest=if(earliest="None","",earliest) | eval latest=if(latest="None","",latest)</param>
        <module name="ResultsValueSetter">
          <param name="fields">searchString,earliest,latest,title</param>
          <module name="ValueSetter">
            <param name="name">savedSearchURL</param>
            <param name="value"><![CDATA[chart?searchBar=$searchString$&earliest=$earliest$&latest=$latest$&autoRun=True]]></param>
            <param name="urlEncodeKeys">searchString,earliest,latest</param>

            <module name="HTML">
              <param name="html"><![CDATA[
                <a href="$savedSearchURL$">$title$</a>
              ]]></param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

There is of course another easy way to do this with Sideview Utils, and that's to just use the Table module and the Redirector module:

<module name="Search" autoRun="True">
  <param name="search">| rest /servicesNS/admin/search/saved/searches | rename qualifiedSearch as searchString dispatch.earliest_time as earliest dispatch.latest_time as latest | fields title searchString earliest latest</param>

  <module name="Pager">
    <module name="Table">
      <param name="hiddenFields">searchString earliest latest</param>

      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">$row.fields.searchString$</param>
        <param name="arg.earliest">$row.fields.earliest$</param>
        <param name="arg.latest">$row.fields.latest$</param>
      </module>
    </module>
  </module>
</module>

Although, if you're not picky about the presentation, straight up blue links in a bulleted list are just fine, and you don't need to tweak the rest command at all, the SavedSearches module may well be the simplest way to go!

<module name="Paginator">
  <module name="SavedSearches"/>
</module>

rroberts · ‎10-25-2012

I've done something like this calling the savedsearches module directly.

module name="GenericHeader" layoutPanel="sidebar"

param name="label" My Saved Searches /param

module name="SavedSearches" layoutPanel="sidebar"/>

/module>

I removed the field picker and replaced it with a list of saved search. Might start here.

Saved Search links in dasboard

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor