Re: How to pull a field from a saved report into a...

charliedgz · ‎01-19-2017

Is there a way to pull a field from a saved report into a dashboard and display only one of the fields in a panel? For instance, I have a saved search for the past 4 hours. I have 3 fields: total, avg, and valid. Let's say the numbers are 7009, 12, and 6576 respectively for example. I am trying to have different panels: One showing a gauge with the totals, one showing the average from the report, and one showing the valid number. Is there a way to pull the total from the report for one panel and avg from the report?

somesoni2 · ‎01-19-2017

You would've to use the ref feature of the search element in simple xml to reference a scheduled saved search. This it'll load the last run's results to dashboard panel, if one exists, or rerun the scheduled search. See more details with example here.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Reference_a_search_from_a_report

<search ref ="[name]">
....
References the report.

cmerriman · ‎01-19-2017

you could use the savedsearch command followed by fields

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

|savedsearch searchname|fields total

charliedgz · ‎01-19-2017

Ok, I tried doing this, but it keeps rerunning the search ( in my case 35 million events), even if I used a fix time range. I just want to abstract, say the 7009 without having to rerun the search.

cmerriman · ‎01-19-2017

sorry. try loadjob
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Loadjob

|loadjob savedsearch="charliedgz:search:searchname"

How to pull a field from a saved report into a dashboard and display only one of the fields in a panel?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)