Solved: Re: How to identify the search that generated a da...

IRHM73 · ‎10-10-2016

Hi, I wonder whether someone may be able to help me please.

I'm running the search below inserting a specific user name.

index=_audit NOT "search=' 
| history" NOT (user=splunk-system-user OR user="monitoring" OR user="txm.alerts") NOT "search='typeahead" NOT "search=' 
| metadata type=*  
| search totalCount>0" 
| eval Status=if(like(_raw, "%export%"), 1, 0) 
| where Status=1 
| search user="name"
| table user, search

The search runs but because the user has exported data from a dashboard panel, the result for the search are returned as follows:

> REST:
> /search/jobs/_c3RlcGiZW5u_c3lbi5iZW5u_c3BsZXh0cmFjdC1hcHA__search9_147626.3699/results/export][n/a]

Could someone tell me please, is there a way to actually see the search for the dashboard panel?

Many thanks and kind regards

Chris

woodcock · ‎10-12-2016

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

View solution in original post

woodcock · ‎10-12-2016

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

IRHM73 · ‎10-13-2016

Hi @woodcock, forgive me because this is something that I've not done before. But I think I've set the token correctly as below:

 <panel>      
      <input type="time" token="time_range1">
        <label>Cust. Satisfaction Time</label>
        <default>
          <earliestTime>-8d@d</earliestTime>
          <latestTime>-1d@d</latestTime>
        </default>
      </input>
      <table>
        <title>Customer Satisfaction</title>
        <search>
          <query>QUERY CONTENT</query>
          <earliest>$time_range1.earliest$</earliest>
          <latest>$time_range1.latest$</latest>
        </search>
        <done>
           <set token="MyPanelJobSID">$job.sid$</set>
        </done>

But could you tell me please how I then search for the token Id in my query?

Many thanks and kind regards

Chris

rjthibod · ‎10-13-2016

@IRHM73

You use loadjob SPL command with the SID. After the first command in the query below, you can do whatever SPL commands you want, i.e., there are no limitations unlike post-processing and global searches.

<search>
  <query>|loadjob $MyPanelJobSID$ | ... more SPL as you need it ... | ... | ...</query
</search>

woodcock · ‎03-24-2017

Exactly right.

rjthibod · ‎10-12-2016

^ this is correct for newer versions of Splunk Enterprise. If you are using something pre-6.3, you must use Javascript.

hunters_splunk · ‎10-10-2016

Hi IRHM73,

Not sure if I understand your question correctly, but instead of table user, search, I'm wondering if you could try table user, savedsearch_name so that you can identify the specific saved search that was executed?

Thanks!
Hunter Shen

IRHM73 · ‎10-10-2016

Hi @hunters, thank you for taking the time to reply to my post. I think you've understood t correctly, but with the use of queries on panels, as I'm sure you know, the query isn't always a saved search, but it's hardcoded into the source XML for the dashboard, so unfortunately this doesn't work.

Kind Regards

Chris

How to identify the search that generated a dashboard panel?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...