Dashboards & Visualizations

Controlling search execution via dashboard inputs

mschellhouse
Path Finder

We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?

0 Karma
1 Solution

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @mschellhouse, if @DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

mschellhouse
Path Finder

Can you help explain what the where statement is doing in your example?

0 Karma

DalJeanis
Legend

it is getting rid of every single transaction that was created, so it doesn't get appended to the results.

appendpipe processes all your events through its search and then adds whatever comes out to the end of the result set. |where false() ensures that there are no actual additions.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...