- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Argument passing with SearchLinkLister
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please note that I am confined to using version 4.0.11. I’m aware that much of what I want to do can be accomplished with later versions but I am not permitted to upgrade. I’m working with the SearchLinkLister in hopes that I can generate lists of publications that the user can click on in order to see which accounts have downloaded the selected publication. I’ve taken the basis of my XML from the Search Summary dashboard and have been successful in generating a clickable list. The search that is generated is correct in every manner except that it wraps most of the search in double quotes which, of course, makes the search invalid. My question is how can I either remove the double quotes before the search is dispatched, or prevent them altogether?
The parameter being passed to the search is, 01-75gah-4-6.pdf
Here is the important portion of the advanced XML I am using:
<module name="Paginator" >
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">sourcetype="iis" earliest=-0d@d latest=+6h jkcs1 /tm/ .pdf
| makemv delim="/" cs_uri_stem
| eval Publication=mvindex(cs_uri_stem,3)
| stats count(Publication) by Publication
| fields Publication</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">Publication</param>
<param name="value">Publication</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">iis earliest=-d@d sc_status=200 cs_uri_stem=*$target$
| lookup PubsAccounts.csv cs_username OUTPUT Unit as Account
| rename cs_uri_stem as Publication
| stats list(Publication) by Account | fields Account
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
This is the resulting search, note the double quotes after sourcetype and at the very end:
sourcetype="iis earliest=-d@d sc_status=200 cs_uri_stem=*01-75gah-4-6.pdf
| lookup PubsAccounts.csv cs_username OUTPUT name as Account
| rename cs_uri_stem as Publication
| stats list(Publication) by Account | fields Account"
As an aside, I would like to ultimately direct this search to something that does not have a search bar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I discovered that I needed a hidden search in order to make this work, that and using stringreplace. Here is the relevant Advanced XML.
<!-- this generates the linked list of publication names -->
<module name="Paginator" >
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">sourcetype="iis" earliest=-0d@d latest=+6h jkcs1 /tm/ .pdf
| makemv delim="/" cs_uri_stem
| eval Publication=mvindex(cs_uri_stem,3)
| stats count(Publication) by Publication
| fields Publication</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">Publication</param>
<param name="value">Publication</param>
</list>
<!--list>
<param name="label">Accounts</param>
<param name="labelFormat">Accounts</param>
</list -->
</param>
<!-- This will create the search on the publication -->
<!-- The hiddensearch module is the vital piece -->
<module name="HiddenSearch">
<param name="search">
sourcetype=iis earliest=-d@d sc_status=200 cs_uri_stem=*$pub$
| lookup NATEC_Mid-Tiers.csv cs_username OUTPUT Unit as Account
| rename cs_uri_stem as Publication
| stats list(Publication) by Account | fields Account
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<!-- The stringreplace is the second key-->
<param name="name">stringreplace</param>
<param name="arg">
<param name="pub">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And here is the final piece of the puzzle.
Add this to the end of the hidden search
| outputlookup TransferredPubs.csv
Then change your viewtarget to a new view
<param name="viewTarget">TMDownloads</param>
Then create a view called TMDownloads that looks like this
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>TM Downloads</label>
<row>
<table>
<searchName>TMDownloads</searchName>
<title>Downloads</title>
<option name="count">20</option>
<option name="showPager">true</option>
</table>
</row>
</dashboard>
And lastly create a saved search called TMDownloads that contains this
| inputlookup TransferredPubs.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I discovered that I needed a hidden search in order to make this work, that and using stringreplace. Here is the relevant Advanced XML.
<!-- this generates the linked list of publication names -->
<module name="Paginator" >
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">sourcetype="iis" earliest=-0d@d latest=+6h jkcs1 /tm/ .pdf
| makemv delim="/" cs_uri_stem
| eval Publication=mvindex(cs_uri_stem,3)
| stats count(Publication) by Publication
| fields Publication</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">Publication</param>
<param name="value">Publication</param>
</list>
<!--list>
<param name="label">Accounts</param>
<param name="labelFormat">Accounts</param>
</list -->
</param>
<!-- This will create the search on the publication -->
<!-- The hiddensearch module is the vital piece -->
<module name="HiddenSearch">
<param name="search">
sourcetype=iis earliest=-d@d sc_status=200 cs_uri_stem=*$pub$
| lookup NATEC_Mid-Tiers.csv cs_username OUTPUT Unit as Account
| rename cs_uri_stem as Publication
| stats list(Publication) by Account | fields Account
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<!-- The stringreplace is the second key-->
<param name="name">stringreplace</param>
<param name="arg">
<param name="pub">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
