All Apps and Add-ons

Sideview SavedSearch module doesn't ssave the search

kmattern
Builder

I'm probably missing something pretty basic, but when I put the Sideview SearchControls module into a view and save the search, the savedsearches.conf entry created looks like this:

[PopRedstonr]
action.email.reportServerEnabled = 0
alert.track = 0
displayview = CombinedDetail
request.ui_dispatch_view = CombinedDetail
search = *

Here is the XML (more or less - mostly less)

 <view>
 <blablabla/>
     <module name="SearchControls">
      <param name="sections">export print saveMenu createMenu </param> 
      <param name="jobControls">pause cancel</param> 
      <param name="saveMenu">saveSearch saveResults saveAndShareResults</param> 
      <param name="createMenu">createAlert createScheduledSearch</param> 

          <stuff>
          The rest of my view XML
          Search, table, redirector, etc.
          </stuff>
      </module>
  </view>

If I run the same search in the search app and save it I get the search in my savedSearches.conf and it looks like this:

[PopRedstonr]
action.email.reportServerEnabled = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
auto_summarize.timespan = 1m
dispatch.earliest_time = 0
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index="fbo" sourcetype="fboTEMPLATE" "*POP*Redstone*"\
| spath output=Date path=TEMPLATE.DATE\
| spath output=Record path=TEMPLATE.RECNUM\
| spath output=Subject path=TEMPLATE.SUBJECT\
| spath output=Location path=TEMPLATE.POPADDRESS\
| eval Date= strptime(Date,"%m%d%Y") \
| convert timeformat="%Y-%m-%d"  ctime(Date) AS Date\
| table Date, Record, Location, Subject\
| sort Date desc
vsid = hq73cul2

Why am I getting only an asterisk instead of the search text in my view?

sideview
SplunkTrust
SplunkTrust

The answer has to do with how, when and why the searches get kicked off by the Splunk module framework.

First, the modules themselves don't actually kick off searches. It's the framework itself that does it as it's passing all the arguments around - more precisely as the "push" cascades down through the module hierarchy and as that push starts to hit modules that actually need search results. The point in the module hierarchy where the framework kicks off a given search, is called the "dispatch point" for that search.

To finally come back to your question, the SearchControls module has to be at or below the "dispatch point" of the search that you want to control. If on the other hand you put it somewhere weird in the hierarchy where no search would otherwise be getting dispatched, it'll itself cause a search * search to get dispatched, and so you'll be controlling that one. o_O

If you haven't read it, or even if you have, take a moment to get the latest Sideview Utils, and navigate to "Key Techniques > Overview of the Advanced XML". This page gives an explanation of all this. The bad news is that the explanation is quite long.

By the way the core Splunk JobStatus module has the same behavior - it has to be at or below the dispatching point of the job you want to operate on.

kmattern
Builder

Ah Ha! That's a palindrome. I should have thought about that. I got it backwards because I am so used to pushing stuff to a search. I'll move it to where it belongs and chalk it up to not thinking downstream far enough.

Thanks Nick.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...