Dashboards & Visualizations

Controlling search execution via dashboard inputs

mschellhouse
Path Finder

We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?

0 Karma
1 Solution

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @mschellhouse, if @DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

DalJeanis
Legend

Anywhere in your search, you can add this...

| appendpipe 
     [| addinfo 
      | stats min(info_min_time) as min_time  max(info_max_time) as max_time 
      | eval search_time = now()
      | table search_time min_time max_time
      | outputcsv mytempresults.csv 
      | where false()
      ]

That saves your data to a temp file, overwriting the file every time it runs.


Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.

      | inputcsv mytempresults.csv $mynulldependstoken$
      | outputcsv append=t myrealresults.csv
      | where false()
      | outputcsv mytempresults.csv

You need to set a postprocess in the form that will clear out the token again, and you're done.

mschellhouse
Path Finder

Can you help explain what the where statement is doing in your example?

0 Karma

DalJeanis
Legend

it is getting rid of every single transaction that was created, so it doesn't get appended to the results.

appendpipe processes all your events through its search and then adds whatever comes out to the end of the result set. |where false() ensures that there are no actual additions.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...