Dashboards & Visualizations

How to identify the search that generated a dashboard panel?

Motivator

Hi, I wonder whether someone may be able to help me please.

I'm running the search below inserting a specific user name.

index=_audit NOT "search=' 
| history" NOT (user=splunk-system-user OR user="monitoring" OR user="txm.alerts") NOT "search='typeahead" NOT "search=' 
| metadata type=*  
| search totalCount>0" 
| eval Status=if(like(_raw, "%export%"), 1, 0) 
| where Status=1 
| search user="name"
| table user, search

The search runs but because the user has exported data from a dashboard panel, the result for the search are returned as follows:

> REST:
> /search/jobs/_c3RlcGiZW5u_c3lbi5iZW5u_c3BsZXh0cmFjdC1hcHA__search9_147626.3699/results/export][n/a]

Could someone tell me please, is there a way to actually see the search for the dashboard panel?

Many thanks and kind regards

Chris

0 Karma
1 Solution

Esteemed Legend

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

View solution in original post

Esteemed Legend

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

View solution in original post

Motivator

Hi @woodcock, forgive me because this is something that I've not done before. But I think I've set the token correctly as below:

 <panel>      
      <input type="time" token="time_range1">
        <label>Cust. Satisfaction Time</label>
        <default>
          <earliestTime>-8d@d</earliestTime>
          <latestTime>-1d@d</latestTime>
        </default>
      </input>
      <table>
        <title>Customer Satisfaction</title>
        <search>
          <query>QUERY CONTENT</query>
          <earliest>$time_range1.earliest$</earliest>
          <latest>$time_range1.latest$</latest>
        </search>
        <done>
           <set token="MyPanelJobSID">$job.sid$</set>
        </done>

But could you tell me please how I then search for the token Id in my query?

Many thanks and kind regards

Chris

0 Karma

Champion

@IRHM73

You use loadjob SPL command with the SID. After the first command in the query below, you can do whatever SPL commands you want, i.e., there are no limitations unlike post-processing and global searches.

<search>
  <query>|loadjob $MyPanelJobSID$ | ... more SPL as you need it ... | ... | ...</query
</search>

Esteemed Legend

Exactly right.

0 Karma

Champion

^ this is correct for newer versions of Splunk Enterprise. If you are using something pre-6.3, you must use Javascript.

0 Karma

Splunk Employee
Splunk Employee

Hi IRHM73,

Not sure if I understand your question correctly, but instead of table user, search, I'm wondering if you could try table user, savedsearch_name so that you can identify the specific saved search that was executed?

Thanks!
Hunter Shen

0 Karma

Motivator

Hi @hunters, thank you for taking the time to reply to my post. I think you've understood t correctly, but with the use of queries on panels, as I'm sure you know, the query isn't always a saved search, but it's hardcoded into the source XML for the dashboard, so unfortunately this doesn't work.

Kind Regards

Chris

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!