We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?
Anywhere in your search, you can add this...
| appendpipe
[| addinfo
| stats min(info_min_time) as min_time max(info_max_time) as max_time
| eval search_time = now()
| table search_time min_time max_time
| outputcsv mytempresults.csv
| where false()
]
That saves your data to a temp file, overwriting the file every time it runs.
Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.
| inputcsv mytempresults.csv $mynulldependstoken$
| outputcsv append=t myrealresults.csv
| where false()
| outputcsv mytempresults.csv
You need to set a postprocess in the form that will clear out the token again, and you're done.
Hey @mschellhouse, if @DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
Anywhere in your search, you can add this...
| appendpipe
[| addinfo
| stats min(info_min_time) as min_time max(info_max_time) as max_time
| eval search_time = now()
| table search_time min_time max_time
| outputcsv mytempresults.csv
| where false()
]
That saves your data to a temp file, overwriting the file every time it runs.
Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.
| inputcsv mytempresults.csv $mynulldependstoken$
| outputcsv append=t myrealresults.csv
| where false()
| outputcsv mytempresults.csv
You need to set a postprocess in the form that will clear out the token again, and you're done.
Can you help explain what the where statement is doing in your example?
it is getting rid of every single transaction that was created, so it doesn't get appended to the results.
appendpipe
processes all your events through its search and then adds whatever comes out to the end of the result set. |where false()
ensures that there are no actual additions.