All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

replacing a $token$ within the $search$-token for drilldown / link

bjoernjensen
Contributor
‎12-04-2013 08:51 AM

Hi everyone.

using side view utils I am trying to pass one (or more) token from a dropdown into a search for parameterize it. This works. But since I want to add some kind of drilldown/link to that additionally I am in trouble. I would like to build a href that takes the $search$ token that already has the current $token$ replaced.

I forgot: This will lead in a linked value (a certain result of the main search) that will open a search with a query that will end exactly where the token within the $search$-token starts and should be replaced. 

<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>visulizationpanel</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="appHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
</module>

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">index=_internal component=Metrics | where isnotnull(max_size_kb) | where isnotnull(largest_size) | where isnotnull(name) | table max_size_kb largest_size name _time | rename name as internalLabel</param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>

    <module name="Pulldown">
        <param name="name">internalLabel</param>
        <param name="label">choose Name</param>
        <param name="template">search internalLabel="$value$"</param>
        <param name="postProcess">dedup $name$ | sort $name$</param>
        <param name="valueField">$name$</param>

        <module name="Search">
            <param name="search">index=_internal component=Metrics | where isnotnull(max_size_kb) | where isnotnull(largest_size) | where isnotnull(name) | table max_size_kb largest_size name _time | rename name as internalLabel | $internalLabel$ | stats max(largest_size) as maxLargestSize avg(largest_size) as avgLargestSize max(max_size_kb) as maxSizeKb avg(max_size_kb) as avgSizeKb | eval avgSizeKb=round(avgSizeKb) | eval avgLargestSize=round(avgLargestSize) | table maxLargestSize avgLargestSize maxSizeKb avgSizeKb</param>
            <param name="earliest">-1h</param>
            <param name="latest">now</param>

                <module name="HTML">
                    <param name="html">
                        <![CDATA[
                            <a href="search?q=search%20$search$&earliest=$search.timeRange.earliest$&latest=$search.timeRange.latest$">$results[0].maxLargestSize$</a>
                        ]]>
                    </param>
                </module>
                <module name="Button">
                    <param name="label">link</param>
                    <module name="Redirector">
                      <param name="url">flashtimeline</param>
                      <param name="arg.q">search $search$</param>
                      <param name="arg.earliest">$search.timeRange.earliest$</param>
                      <param name="arg.latest">$search.timeRange.latest$</param>
                    </module>
                </module>
        </module>
    </module>
</module>
</view>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎12-04-2013 11:22 AM

I guess there are two issues here.

  1. In HTML module, href property :- change "a href="search?q=search%20$search$....." to "a href="flashtimeline?q=search%20$search$.....".
  2. In the template parameter of Pulldown module, remove double quotes. This is causing query string to be truncated.

I made that changes to the view and its working fine (I have removed macro part of the query).

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎12-04-2013 11:22 AM

I guess there are two issues here.

  1. In HTML module, href property :- change "a href="search?q=search%20$search$....." to "a href="flashtimeline?q=search%20$search$.....".
  2. In the template parameter of Pulldown module, remove double quotes. This is causing query string to be truncated.

I made that changes to the view and its working fine (I have removed macro part of the query).

Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎12-05-2013 06:39 AM

Flashtimeline is basically the name of the Splunks default search screen (flashtimeline.xml). So for href property, you have to use the actual view name (and then pass query string after '?'). The word 'search' is a command which executes the passed query.

0 Karma
Reply
Solved! Jump to solution

bjoernjensen
Contributor
‎12-04-2013 11:28 PM

works like charm. thank you!

one question left for me: what is actually the difference between 'search' and 'flashtimeline'?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...