All Apps and Add-ons

SideviewUtils URL search string update and refresh problem

rhayle
Path Finder

Why is the search URL string not updating correctly? As soon as I push the refresh button I lose the pulldown information.

e.g.
test/?q=search index%3D"*"&earliest=-4h%40m&latest=now

In this example the host field is missing and the search does not update when the pulldown is change.

Thanks!








1
False



1
True
splunk.search.job


Transaction Activity Logs


-2d
now
index=""

index
Tenant
$name$="$value$"
dedup $name$ | sort $name$
left


index
index



host
Host
$name$="$value$"
search $index$ | dedup $name$ | sort $name$
left


host
host



True

Search
True
True
True

$index$ $host$ sourcetype="abc_log" | transaction startswith="dopost()"

True


results
10












1 Solution

sideview
SplunkTrust
SplunkTrust

Well, you're mixing worlds here. Sideview Utils has a mechanism whereby all the form element settings can be passively preserved in the URL - such that refreshing the page will reload all the form elements the way they were.

Splunk then has a very limited mechanism to do the same thing, but it only will work with the SearchBar basically, not with any other form-element modules, and you're sort of using part of that here, but not all of it. It's a long story!

but the Sideview Utils way is a lot simpler so lets go that way.

Just put in the Sideview URLLoader module at the top (as per Sideview docs around linking and prepopulation), set its "keepURLUpdated" param to true so that it will passively update the URL when you change form elements, and then to replace the Splunk 'SubmitButton' module you had there with the simpler Sideview Button module.

Aside from that I also removed some modules and config that wasn't doing anything and was probably vestigial from a simple-xml conversion. Here is the cleaned up XML, and you'll find this version is able to keep the URL updated when the pulldowns or timeRangePicker modules are updated.

And then at the bottom I've called out a different but also serious problem with your dashboard. Read on.

<view autoCancelInterval="90" isVisible="true" onUnloadCancelJobs="true" template="dashboard.html">
  <label>Transaction Activity Logs</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="maxSize">1</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="filter"></param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="maxSize">1</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="filter">splunk.search.job</param>
  </module>
  <module name="GenericHeader" layoutPanel="viewHeader">
    <param name="label">Transaction Activity Logs</param>
  </module>

  <module name="URLLoader" layoutPanel="viewHeader" autoRun="True" >
    <param name="keepURLUpdated">True</param>

    <module name="Search">
      <param name="earliest">-2d</param>
      <param name="latest">now</param>
      <param name="search">index="*"</param>

      <module name="Pulldown">
        <param name="name">index</param>
        <param name="label">Tenant</param>
        <param name="template">$name$="$value$"</param>
        <param name="postProcess">dedup $name$ | sort $name$</param>
        <param name="float">left</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">index</param>
            <param name="value">index</param>
          </list>
        </param>

        <module name="Pulldown">
          <param name="name">host</param>
          <param name="label">Host</param>
          <param name="template">$name$="$value$"</param>
          <param name="postProcess">search $index$ | dedup $name$ | sort $name$</param>
          <param name="float">left</param>
          <param name="searchFieldsToDisplay">
            <list>
              <param name="label">host</param>
              <param name="value">host</param>
            </list>
          </param>

          <module name="TimeRangePicker">
            <param name="searchWhenChanged">True</param>

            <module name="Button">
              <param name="label">Search</param>
              <param name="allowSoftSubmit">True</param>

              <module name="Search" layoutPanel="panel_row1_col1">
                <param name="search">$index$ $host$ sourcetype="abc_log" | transaction startswith="dopost()"</param>

                <module name="JobProgressIndicator"/>

                <module name="Pager">

                  <module name="EventsViewer"></module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

However!! There are two more quite serious and higher-order problems with your dashboard!

1) Doing index="*", and then doing | dedup index | sort index in a postprocess is a very bad way to get a dynamic pulldown for indexes, on several levels. Performance will be bad, and if you try to do the same thing on an extracted field it simply wont work. Also you'll be subject to postprocess limits. Read the "Introduction to PostProcess" in the Sideview Utils docs, and it will give you a good grounding here.

And in this specific case, of getting pulldowns for index and host, you can actually use mechanisms that don't require touching the indexed events at all.

If you want to get all the indexes, do this:

eventcount index=* summarize=false

And then to get all the hosts for the given index , do this:

| metadata type="hosts" $index$

both will run basically instantly and will always give back accurate results.

2) Your incoming link looks like "?q=search foo", but this is a very oldschool kind of splunk link and it will only work with the legacy intention-based prepopulation.

To prepopulate Sideview modules like Pulldown, is a lot easier. The link itself should look like:

?host=someHost&index=someIndex&earliest=-24h&latest=now

That will prepopulate host, index and the TimeRangePicker.
Now, to change the dashboard linking to this dashboard depends on whether you're using the Simple XML or the Advanced XML. In the advanced xml you'd simply use the Sideview Utils Redirector module and the Sideview docs around linking can walk you through this.

In the simple XML it's pretty simple too - you just have to set the drilldown params such that it passes host, index, and earliest and latest. ie so you end up with a URL as written above.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

Well, you're mixing worlds here. Sideview Utils has a mechanism whereby all the form element settings can be passively preserved in the URL - such that refreshing the page will reload all the form elements the way they were.

Splunk then has a very limited mechanism to do the same thing, but it only will work with the SearchBar basically, not with any other form-element modules, and you're sort of using part of that here, but not all of it. It's a long story!

but the Sideview Utils way is a lot simpler so lets go that way.

Just put in the Sideview URLLoader module at the top (as per Sideview docs around linking and prepopulation), set its "keepURLUpdated" param to true so that it will passively update the URL when you change form elements, and then to replace the Splunk 'SubmitButton' module you had there with the simpler Sideview Button module.

Aside from that I also removed some modules and config that wasn't doing anything and was probably vestigial from a simple-xml conversion. Here is the cleaned up XML, and you'll find this version is able to keep the URL updated when the pulldowns or timeRangePicker modules are updated.

And then at the bottom I've called out a different but also serious problem with your dashboard. Read on.

<view autoCancelInterval="90" isVisible="true" onUnloadCancelJobs="true" template="dashboard.html">
  <label>Transaction Activity Logs</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="maxSize">1</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="filter"></param>
  </module>
  <module name="Message" layoutPanel="messaging">
    <param name="maxSize">1</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="filter">splunk.search.job</param>
  </module>
  <module name="GenericHeader" layoutPanel="viewHeader">
    <param name="label">Transaction Activity Logs</param>
  </module>

  <module name="URLLoader" layoutPanel="viewHeader" autoRun="True" >
    <param name="keepURLUpdated">True</param>

    <module name="Search">
      <param name="earliest">-2d</param>
      <param name="latest">now</param>
      <param name="search">index="*"</param>

      <module name="Pulldown">
        <param name="name">index</param>
        <param name="label">Tenant</param>
        <param name="template">$name$="$value$"</param>
        <param name="postProcess">dedup $name$ | sort $name$</param>
        <param name="float">left</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">index</param>
            <param name="value">index</param>
          </list>
        </param>

        <module name="Pulldown">
          <param name="name">host</param>
          <param name="label">Host</param>
          <param name="template">$name$="$value$"</param>
          <param name="postProcess">search $index$ | dedup $name$ | sort $name$</param>
          <param name="float">left</param>
          <param name="searchFieldsToDisplay">
            <list>
              <param name="label">host</param>
              <param name="value">host</param>
            </list>
          </param>

          <module name="TimeRangePicker">
            <param name="searchWhenChanged">True</param>

            <module name="Button">
              <param name="label">Search</param>
              <param name="allowSoftSubmit">True</param>

              <module name="Search" layoutPanel="panel_row1_col1">
                <param name="search">$index$ $host$ sourcetype="abc_log" | transaction startswith="dopost()"</param>

                <module name="JobProgressIndicator"/>

                <module name="Pager">

                  <module name="EventsViewer"></module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

However!! There are two more quite serious and higher-order problems with your dashboard!

1) Doing index="*", and then doing | dedup index | sort index in a postprocess is a very bad way to get a dynamic pulldown for indexes, on several levels. Performance will be bad, and if you try to do the same thing on an extracted field it simply wont work. Also you'll be subject to postprocess limits. Read the "Introduction to PostProcess" in the Sideview Utils docs, and it will give you a good grounding here.

And in this specific case, of getting pulldowns for index and host, you can actually use mechanisms that don't require touching the indexed events at all.

If you want to get all the indexes, do this:

eventcount index=* summarize=false

And then to get all the hosts for the given index , do this:

| metadata type="hosts" $index$

both will run basically instantly and will always give back accurate results.

2) Your incoming link looks like "?q=search foo", but this is a very oldschool kind of splunk link and it will only work with the legacy intention-based prepopulation.

To prepopulate Sideview modules like Pulldown, is a lot easier. The link itself should look like:

?host=someHost&index=someIndex&earliest=-24h&latest=now

That will prepopulate host, index and the TimeRangePicker.
Now, to change the dashboard linking to this dashboard depends on whether you're using the Simple XML or the Advanced XML. In the advanced xml you'd simply use the Sideview Utils Redirector module and the Sideview docs around linking can walk you through this.

In the simple XML it's pretty simple too - you just have to set the drilldown params such that it passes host, index, and earliest and latest. ie so you end up with a URL as written above.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note - if you're using Sideview Utils 2.X (which you should be), you can replace these:

<param name="searchFieldsToDisplay">
  <list>
    <param name="label">host</param>
    <param name="value">host</param>
  </list>
</param>

with this:

<param name="valueField">host</param>

or even:

<param name="valueField">$name$</param>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...