Archive2

Can I combine HiddenSavedSearch module and ExtendedFieldSearch?

Splunk Employee
Splunk Employee

s it possible to combine HiddenSavedSearch and ExtendedFieldSearch to do a replacement on a saved search $value$?

I have something similar to this:

<module name="ExtendedFieldSearch"> 
<param name="intention"> 
<param name="name">stringreplace</param> 
<param name="arg"> 
<param name="service"> 
<param name="default">catch22</param> 
</param> 
</param> 
</param> 
<param name="replacementMap"> 
<param name="arg"> 
<param name="service"> 
<param name="value"></param> 
</param> 
</param> 
</param> 

<param name="field">Service Name</param> 

<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1"> 
<param name="savedSearch">Tomcat - JVM Heap Full Overview</param> 
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1"> 
<param name="chartTitle">JVM Heap Full Overview</param> 
<param name="legend.placement">bottom</param> 
<param name="chart">line</param> 
<module name="FlashChart"> 
<param name="width">275px</param> 
<param name="height">325px</param> 
<module name="ViewRedirectorLink"> 
<param name="viewTarget">flashtimeline</param> 
<param name="label">View full results</param> 
</module> 
</module> 
</module> 
</module> 

and a saved search referencing $service$, but it doesn't seem to work.

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

You actually can.

The reason why its not working is that this is one of the few cases where there's an order dependency. Put the ExtendedFieldSearch downstream from the HiddenSavedSearch.
The HiddenSavedSearch actually obliterates everything about the search, including things like intentions and timeranges. Thus its actually erasing the change wrought by ExtendedFieldSearch.

As an aside, unless the $service$ token is NOT in the initial search clause of your saved search, you really dont want to do it this way. I recommend switching from the stringreplace intention to the slightly simpler addterm intention. replace the

<param name="intention">
...
</param>

node that you have there, with this

<param name="intention">
  <param name="name">addterm</param>
  <param name="arg">
    <param name="service"></param>
  </param>
  <param name="flags"><list>indexed</list></param>
</param>

View solution in original post

SplunkTrust
SplunkTrust

You actually can.

The reason why its not working is that this is one of the few cases where there's an order dependency. Put the ExtendedFieldSearch downstream from the HiddenSavedSearch.
The HiddenSavedSearch actually obliterates everything about the search, including things like intentions and timeranges. Thus its actually erasing the change wrought by ExtendedFieldSearch.

As an aside, unless the $service$ token is NOT in the initial search clause of your saved search, you really dont want to do it this way. I recommend switching from the stringreplace intention to the slightly simpler addterm intention. replace the

<param name="intention">
...
</param>

node that you have there, with this

<param name="intention">
  <param name="name">addterm</param>
  <param name="arg">
    <param name="service"></param>
  </param>
  <param name="flags"><list>indexed</list></param>
</param>

View solution in original post

SplunkTrust
SplunkTrust

Oh cheers. I edited the answer a bit.

Splunk Employee
Splunk Employee

This doesn't seem to be what Mick is asking for. He is trying to use the HiddenSavedSearch module to reference a search with a stringreplace variable imbedded in it.

Splunk Employee
Splunk Employee

No, this is currently not possible. You must use a hidden search to facilitate this behavior.

0 Karma
Reply

SplunkTrust
SplunkTrust

No, if he reverses the order and puts the HiddenSavedSearch above the ExtendedFieldSearch, it will work. It's just a little bizarre and not recommended to have $foo$ tokens in the saved search itself.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!