All Apps and Add-ons

Sideview Utils passing Pulldown value to SavedSearch

Path Finder

My XML:

<module name="Search" layoutPanel="panel_row1_col1" autoRun="False">
<param name="search">index=aaa | chart count over VendorName</param>
<module name="Pulldown" layoutPanel="panel_row1_col1_grp1" autoRun="True">
<param name="name">VdrName</param>
<param name="label">Vendor Name</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">VendorName</param>
<param name="value">VendorName</param>
</list>
</param>

My Saved Search:
index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

My Question:How can i pass the VdrName value from my Pulldown module into my saved search? I've tried using HiddenSearch and HiddenSavedSearch module without success. My current option is to use Search module and write the search query within the XML. Althought this works, now I don't have the option to accelerate the search.

1 Solution

SplunkTrust
SplunkTrust

Well, both HiddenSearch and HiddenSavedSearch are Splunk modules and Splunk modules in general do not do $foo$ substitution.

From there, there is the Sideview module "SavedSearch", and it will do $foo$ substitution. The problem in this case is that it will do $foo$ substitution into param that defines the savedsearch name, not into the actual search string of the savedsearch itself once the savedsearch gets loaded.

The good news is that it's far better to use a macro for this anyway. You're not really supposed to be saving savedsearches with $foo$ tokens in them -- really the use case you're describing is exactly what macros are for.

Create a macro (Manager > Advanced Search > Macros), call it like "vendor_name_search", give the macro a single argument, call that argument VdrName or VendorName or what-have-you, and have the macro's definition be

index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

like you have in your savedsearch today.

To illustrate, once you save this macro this means you can run it in any search, just by doing

vendor_name_search("someVendorName"),

Here's some XML showing that macro now in use, just in an ordinary Sideview Search module right downstream from your Pulldown.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=aaa | chart count over VendorName</param>
  <module name="Pulldown" layoutPanel="panel_row1_col1_grp1">
    <param name="name">VdrName</param>
    <param name="label">Vendor Name</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">VendorName</param>
        <param name="value">VendorName</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">`vendor_name_search("$VdrName$")`</param>

Note - you also had a little autoRun confusion in your XML. autoRun="False" will do nothing, and autoRun="True" should always be pulled up as high as possible. It was probably causing no harm in this case but it's best to be careful.

Don't forget to get the latest Sideview Utils - the latest is 2.3 and it's only available on the Sideview site, free for internal use. If you're still using the 1.3.5 version from Splunkbase you're missing a pretty vast number of fixes, features and improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

SplunkTrust
SplunkTrust

Well, both HiddenSearch and HiddenSavedSearch are Splunk modules and Splunk modules in general do not do $foo$ substitution.

From there, there is the Sideview module "SavedSearch", and it will do $foo$ substitution. The problem in this case is that it will do $foo$ substitution into param that defines the savedsearch name, not into the actual search string of the savedsearch itself once the savedsearch gets loaded.

The good news is that it's far better to use a macro for this anyway. You're not really supposed to be saving savedsearches with $foo$ tokens in them -- really the use case you're describing is exactly what macros are for.

Create a macro (Manager > Advanced Search > Macros), call it like "vendor_name_search", give the macro a single argument, call that argument VdrName or VendorName or what-have-you, and have the macro's definition be

index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

like you have in your savedsearch today.

To illustrate, once you save this macro this means you can run it in any search, just by doing

vendor_name_search("someVendorName"),

Here's some XML showing that macro now in use, just in an ordinary Sideview Search module right downstream from your Pulldown.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=aaa | chart count over VendorName</param>
  <module name="Pulldown" layoutPanel="panel_row1_col1_grp1">
    <param name="name">VdrName</param>
    <param name="label">Vendor Name</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">VendorName</param>
        <param name="value">VendorName</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">`vendor_name_search("$VdrName$")`</param>

Note - you also had a little autoRun confusion in your XML. autoRun="False" will do nothing, and autoRun="True" should always be pulled up as high as possible. It was probably causing no harm in this case but it's best to be careful.

Don't forget to get the latest Sideview Utils - the latest is 2.3 and it's only available on the Sideview site, free for internal use. If you're still using the 1.3.5 version from Splunkbase you're missing a pretty vast number of fixes, features and improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

SplunkTrust
SplunkTrust

It will actually. If the characteristics of the search match a saved search that has acceleration enabled, then the ad-hoc search will also be accelerated.

0 Karma

Path Finder

I was trying out the macro function, but realized that it does not provide the option to accelerate the search. I would like to have the option to accelerate my searches.

0 Karma