All Apps and Add-ons

Sideview utils valuesesetter - what fields are actually available?

Motivator

In the sideview utils documentation is says "ResultsValueSetter allows you to reach up into the server's search results, grab some field values from the first row of the current search results".

This is probably something totally obvious that i'm missing but is there a way I can see a list of what actual fields I can call? I have randomly stumbled upon some of them using the job inspector (ie. runDuration etc) but i'd like to know which ones I can actually use.

Cheers 😉

Lucas

1 Solution

SplunkTrust
SplunkTrust

No - those things like "runDuration" are not fields at all. By fields it means literally the fields on your search results - the things like sourcetype, username, status, method, etc.. Whatever you've defined field extractions for, or whatever fields your app or your dashboard is extracting.

For any particular dashboard and any particular search, to get some visibility into the fields available in that set of search results, I would quickly tack on a "| fieldsummary" and then throw a <module name="Table"/> right into the page, and it will show you a table of all fields.

Or more commonly while I'm working on a dashboard I'll have the search laid out in a separate browser tab, wherein I am constantly running little crosschecks and experiments on the search language. Tacking on a " | fieldsummary" and hitting return in that window is a good example of this sort of thing.

As far as those items that you can see in the job dictionary, a small amount of that information is available wherever Sideview modules have foo substitution, and you can see the list of these on the following page within the Sideview Utils docs - "Key Techniques > Other > overview of all the $foo$ tokens". Specifically there are tokens like $results.count$ for the final result count, $results.eventCount$ for events matched, and $results.scanCount$ for the events scanned. $results.runDuration$ is another example. However the entire space of keys in the Job Inspector is not reflected. Just about a dozen of them.

Note: if you're actually using Sideview Utils 1.3.X, you should update. Many of these $foo$ tokens I think weren't there back that far, and the documentation page I referred to wont be there. Latest as of this writing is 2.6.1, it's free for internal use and it is available only from the sideview site at http://sideviewapps.com/apps/sideview-utils

View solution in original post

SplunkTrust
SplunkTrust

No - those things like "runDuration" are not fields at all. By fields it means literally the fields on your search results - the things like sourcetype, username, status, method, etc.. Whatever you've defined field extractions for, or whatever fields your app or your dashboard is extracting.

For any particular dashboard and any particular search, to get some visibility into the fields available in that set of search results, I would quickly tack on a "| fieldsummary" and then throw a <module name="Table"/> right into the page, and it will show you a table of all fields.

Or more commonly while I'm working on a dashboard I'll have the search laid out in a separate browser tab, wherein I am constantly running little crosschecks and experiments on the search language. Tacking on a " | fieldsummary" and hitting return in that window is a good example of this sort of thing.

As far as those items that you can see in the job dictionary, a small amount of that information is available wherever Sideview modules have foo substitution, and you can see the list of these on the following page within the Sideview Utils docs - "Key Techniques > Other > overview of all the $foo$ tokens". Specifically there are tokens like $results.count$ for the final result count, $results.eventCount$ for events matched, and $results.scanCount$ for the events scanned. $results.runDuration$ is another example. However the entire space of keys in the Job Inspector is not reflected. Just about a dozen of them.

Note: if you're actually using Sideview Utils 1.3.X, you should update. Many of these $foo$ tokens I think weren't there back that far, and the documentation page I referred to wont be there. Latest as of this writing is 2.6.1, it's free for internal use and it is available only from the sideview site at http://sideviewapps.com/apps/sideview-utils

View solution in original post

Motivator

ahh thanks. I'm using v2.5.

As for runDuration etc, I thought i'd seen them before. I spent ages trying to find where i'd originally seen a list of them. For some reason i'd had one of them in a resultsvaluesetter hence the reason why I was was getting confused about its origin.

Once again thanks. Most if not all of the our dashboards wouldn't be possible without sideview utils 😉 (well ... not nearly the same functionality and less headache to create!). Crossing my fingers that not too many of our dashboards are broken in v6.

0 Karma