All Apps and Add-ons

Sideviews Search Module Saved Searches

tmurray3
Path Finder

I have a defined scheduled saved search which I would like to use with the Sideview utils Search module. However, looking at the API it only allows for the param "search", which is the literal search string and not a saved search name. Is it possible to use saved searches with the Sideview Utils Search module?

Thanks for your help.

Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

No, the 'Search' module cannot be used with saved searches. Sideview Utils does package another module called 'SavedSearch', but it doesnt talk about it in the documentation because it's not quite finished. That's because while the SavedSearch module takes a saved search name as a param instead of a literal search string, it has no ability yet to retrieve the last-known-scheduled-job. That ability will come in a future release, and I'll document the module then.

For now I would just use the Splunk core module 'HiddenSavedSearch'. Unless you need to do $foo$ substitution into the saved search name, the Sideview module doesnt offer much of a benefit over its Splunk counterpart.

And if you ever want to see all the modules and read the more reference-type documentation that come with all of them, go to http://<your host and port>/modules. The Sideview modules get blended in with all the core Splunk modules, but if you and search through the page for "sideview_utils" you'll be able to read about them all, (even the ones whose module reference docs say 'this is a prototype!!'. And the docs for Splunk's "HiddenSavedSearch" module are there too.

View solution in original post

sideview
SplunkTrust
SplunkTrust

No, the 'Search' module cannot be used with saved searches. Sideview Utils does package another module called 'SavedSearch', but it doesnt talk about it in the documentation because it's not quite finished. That's because while the SavedSearch module takes a saved search name as a param instead of a literal search string, it has no ability yet to retrieve the last-known-scheduled-job. That ability will come in a future release, and I'll document the module then.

For now I would just use the Splunk core module 'HiddenSavedSearch'. Unless you need to do $foo$ substitution into the saved search name, the Sideview module doesnt offer much of a benefit over its Splunk counterpart.

And if you ever want to see all the modules and read the more reference-type documentation that come with all of them, go to http://<your host and port>/modules. The Sideview modules get blended in with all the core Splunk modules, but if you and search through the page for "sideview_utils" you'll be able to read about them all, (even the ones whose module reference docs say 'this is a prototype!!'. And the docs for Splunk's "HiddenSavedSearch" module are there too.

sideview
SplunkTrust
SplunkTrust

ALSO! My comments are about the version of the module in Sideview Utils 2.6.5. If you're talking about the old LGPL version of the app - version 1.3.5, then no - the SavedSearch module was just a prototype back then.

go to http://sideviewapps.com/apps/sideview-utils to get the latest.

0 Karma

sideview
SplunkTrust
SplunkTrust

Yes, it may still have bugs in it, but companies are using it in production and it hasn't had a new bug in a long time.

I will say that for this particular module, there isn't a lot of reason to recommend it over the core splunk equivalent HiddenSavedSearch. If you are using sideview-style saved searches and reports (which are awesome), then absolutely, you will need to use this. But if your app is scraping by with viewstates and legacy saved-search loading, then I'm not sure what it really gets you.

Also note that you cannot do $foo$ substitution into the savedsearch name.

0 Karma

ccsfdave
Builder

Has SavedSearch been fully baked yet?

Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...