The results of the searches bring a lot of useful information such as hashes, ip addresses, file locations and names. Rather than re-type this information into other applications, it is quite useful to simply highlight the information and copy it to the clipboard for pasting into other locations.
Unfortunately, left-clicking and sometimes even the process of highlighting (left-click and drag) can launch a new splunk search based on whatever field it thought that I was clicking on. I would prefer to turn that functionality off altogether, but the more important point is that I lose the results of the previous search when this happens.
I would also prefer the ability to easily recall the search results without waiting for the search to execute again from the beginning. I read an article where you can find the search ID number and then input that into a chain of search commands which can pull the previous search results into a new search or simply bring them up for viewing without executing a new search, but that process seems quite inconvenient: newsearch | append loadjob oldsearchid
Is there a way to prevent the clicking action from instantly running a new search?
Is there a way to have new searches by clicking run in a new window by default?
Is there a way to pull a previous search without having to record the search number of the previous search immediately after each search? On a side note, when a new search is accidentally started while trying to copy information to the clipboard, is it possible to discover the search ID of the previous (lost) search? Is there a search history area?
For the side note, you can usually just press the browser's back button.
As for search history, you're probably thinking of the job monitor accessible from the top right corner.
I think this is true if the back arrow is used before the search expires (anyone know how long?). On that note, the sid is located in the url, so it makes sense that the back arrow would retrieve the search without executing it again. So the url would be an easy place to find the sid of the current search. In another thread, the Inspect Search function was suggested for locating the sid, but that seemed a little too pain to me just to get an sid. The need to get an sid seems inconvenient enough by itself except perhaps with complex searches which use results from multiple searches.
Are the other applications web-based and able to accept the text you're trying to copy&paste as a URL parameter?
Some of the applications/tools which use the data copied from Splunk are web-based with url data manipulatable functions, like VirusTotal and like our internal assets and employee search pages. Others are not, like MS Excel where I store records of findings and relate data or create command line argument strings for cmd.exe, where data is sometimes pasted into a string from either excel or Splunk.
For the web-based ones you can create workflow actions that pass Splunk field values to those applications: http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Aboutlookupsandfieldactions#Workflow_act...
Even then, there may be 100 hash values and I only want to pass a few of them to VirusTotal and view their webpage showing the results of the analysis. The same is true of user ids in the Splunk search results for the employee search or of computer names for the asset portal search. Even still, workflow actions do sound interesting and powerful for automating other applications. They do not seem helpful in this case though.
I am going to consolidate some of the above discussion into an answer, and make some suggestions:
What you can do to make this easier:
flashtimelineview and customize it. This is advanced XML, and therefore a bit more complicated than the other two options. But you can certainly build custom drilldown. I am also sure that you can completely remove the click behavior, although I have never done that myself. In Splunk 5,
flashtimelineis the default search view. In Splunk 6,
flashtimelineis still there but it isn't the default. In either case, you should copy it and then rename+edit your copy.
I found a way to change the click behavior of the default search view.
Turn off the function to launch a new search when a field is clicked (called drilldown) by doing the following:
Open the Format menu (below the time graph) and setting the Drilldown menu to None.
To turn off the function to launch a new search when a field is clicked (called drilldown):
Open the Format menu (below the time graph) and set the Drilldown menu to "None".
Find previous Jobs through Activity - Jobs at the top right of the client. (Thank you, Iguinn)
I still cannot locate the function to launch a new search into its own window from the search entered into an existing search box, thus keeping a previous search in its window. The goal of such a function would be to allow an initial search to attempt a refinement, which would use the results of the previous search (like a pipe). If the new search was unsuccessful, then that new window could be closed and the previous search would be waiting in the old window for another attempt to refine the search. This would also allow one search to be piped into a table and into a stats chart and into a Visualization all separately while only running the initial search parameters once.
The search ID (sid) may be found easily from the last element in the url or from the Inspect function found in the Activity-Jobs history page or by using the Search Job Inspector.