Display full SPL from job properties for a post-pr...

KenL · ‎05-10-2021

When debugging a dashboard sometimes it's helpful to be able to see the search that was ran with all the token values. To do this, I sometimes add inline HTML to show me the query strings so that I don't have to keep opening a new window to view what it is that broke the search. However, this worked fine until I started debugging post-process searches. Here's an example:

<input type=dropdown token="filterZ">
  ....
</input>
<search id="base">
  <query>index=abc | stats count by fieldA, fieldB</query>
</search>

<search base="base">
  <query>| search fieldA="$filterZ$"</query>
    <progress>
      <eval token="resCount">$job.resultCount$</eval>
      <eval token="strSearch">$job.search$</eval>
    </progress>
</search>
 
<row>
  <panel>
    <html>
      <div>
        Results: $resCount$ <br/>
        Search: $strSearch$
      </div>
    </html>
  </panel>
</row>

The job.resultCount returns the correct number to the post-processing search. I.e. if the base search returns 1000 rows, and the post search returns 50, the $resCount$ token tells me 50. However, the $strSearch$ shows me only the query for the base search. Is there another job property I could use which will show me the entire query including the pose-processing portion? I.e. index=abc | stats count by fieldA, fieldB | search fieldA="xyz"

Display full SPL from job properties for a post-process search

token

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?