Dashboards & Visualizations

Controlling search execution via dashboard inputs

mschellhouse
Path Finder

We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?

0 Karma
1 Solution

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @mschellhouse, if @DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

mschellhouse
Path Finder

Can you help explain what the where statement is doing in your example?

0 Karma

DalJeanis
Legend

it is getting rid of every single transaction that was created, so it doesn't get appended to the results.

appendpipe processes all your events through its search and then adds whatever comes out to the end of the result set. |where false() ensures that there are no actual additions.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...