Re: Is there SPL to hard code search mode?

efavreau · ‎03-29-2018

I am working on documentation which requires users to check if they are in a certain mode (fast, smart, verbose) before continuing. Is there an undocumented SPL trick to hard code the search mode?

Similar to using earliest or latest in SPL instead of the time picker, I am looking to see if we can hard code the search mode in SPL.

I am aware you can do this as URL parameters, i.e. &display.page.search.mode=fast ". However that and admin-type stuff isn't going to work for my needs.

I'm in version >=6.5. Here's where I've looked for details, but found none:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Search/Changethesearchmode
https://docs.splunk.com/Splexicon:Searchmode

Thanks!

###

If this reply helps you, an upvote would be appreciated.

deepashri_123 · ‎03-29-2018

Hey@efavreau,

You can try this:

Try to change ui-prefs.conf
[yourappname]
display.page.search.mode = fast

for e.g.,

[search]
display.page.search.mode = fast

Let me know if this helps!!

efavreau · ‎04-02-2018

Thanks for the comment @deepashri. I've updated the question to reflect the admin-type stuff isn't going to work for my needs. Looking for something that probably doesn't exist, but had to ask.

###

If this reply helps you, an upvote would be appreciated.

splunker12er · ‎04-02-2018

I guess cannot specify the search mode from search query - Found the paramter adhoc_search_level is the one set for each search modes (as fast/verbose/smart) - you can see from the search job inspector ,

I can run query from CLI like below and can get results - but cannot pass arg. as like this in search app.

D:\Program Files\Splunk\bin>splunk.exe search "index=*|head 1" -preview true -ad
hoc_search_level fast

Is there SPL to hard code search mode?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms