How to pull the query out of a savedsearch?

JoshuaJohn · ‎08-31-2016

I have a savedsearch file with all of my alerts. I want to be able to pull the entire query into a Splunk search when I click a stats table row that is displaying information about the search

index="nitro_prod_splunk_application_summary" earliest=-1h@m latest=@m [| `nitro_prod_service_app_relationships` | search Category="*" Service="*" Application="*"  | stats count by Application | table Application] | join Application [ | `nitro_prod_cmdb_service_app_relationships` ] | search Alert_Type="*" Metric_Category="*" | eval FilterKey=Description.ID | dedup FilterKey | table Alert_Type Category Service Application Metric_Category Description Key ID| rename Metric_Category as "Type" Alert_Type as "Alert" count as Count | sort +Alert

Which creates a table that looks like this sort of:

Any ideas on how I would drilldown and be able to search the query behind what is being displayed?

somesoni2 · ‎08-31-2016

Which column is the saved search/alert name? You can drilldown to a panel with following search

| savedsearch $drilldownTokenForColumnWhichContainsAlertName$

dbcase · ‎08-31-2016

This should help get you started. Based on user selected value, set a token to represent the full search string -->

  <form>
    <label>test search swapper</label>
    <fieldset submitButton="false">
      <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="All time">
          <set token="new_search">`set_sos_index` sourcetype="ps" $host$
            | multikv
            | `get_splunk_process_type`
            | eval RSZ_MB=RSZ_KB/1024
            | eval VSZ_MB=VSZ_KB/1024
            | bin _time span=5s
            | stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time
            | stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time
            | bin _time span=10s
            | sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time</set>
        </condition>
        <condition label="Last 24 hours">
          <set token="new_search">index=_internal sourcetype=splunkd | table _time sourcetype message</set>
        </condition>
        <condition value="*">
          <set token="new_search">index=_internal sourcetype=splunkd | table _time source sourcetype message</set>
        </condition>
      </change>
    </input>
  </fieldset>

dbcase · ‎08-31-2016

Here is another one

 <!-- Begin the conditional drill down -->
        <drilldown>
          <condition field="MSO - Click for Expanded View">
            <set token="tablevariablesubscribers">$click.value2$</set>
            <eval token="s_mso_s">case($click.value2$="Cox Home Life - CHL", "Cox", $click.value2$="Cox Business Security Solutions - CBSS", "Coxsmb", 1=1, "*"</eval>
          </condition>
          <condition field="*">
            <unset token="tablevariablesubscribers"></unset>
          </condition>
        </drilldown>


        <!-- End the conditional drill down -->

How to pull the query out of a savedsearch?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor