Dashboards & Visualizations

How to store 1st search result in a token/variable and plug in token in other searches? (instead of running macro for each search)

kkas
Path Finder

I am making a dashboard that takes in a network ID and outputs information about that user.

Many of the searches require finding the main IP address of the user. I have a macro to output the IP from an inputted Network ID.
The problem is the macro can take some time to finish, so it adds on to the speed of finding search results. And if you compound that onto a lot of panels (10+) finding all results can be slowed heavily, especially since I'm looking to add more panels.

Is there a way to just do the macro once and set the result to a token/variable and just plug that variable into the panel searches rather than plugging in the macro and running the macro for each search?

User inputs network ID -> macro runs on that net ID and stores IP in a variable -> plug in variable in different searches

1 Solution

lguinn2
Legend

I think a better solution may be to use "post-process searches" in your dashboard. Generally, the panels in a dashboard display various views of a common set of data. Figure out the base search that can drive all (or most) of the panels - which should include the macro - and then post-process the base search results for each panel.

This may give you even more efficiency than you expected!

Here is a link to the docs on Post-process searches. You can also search for "Splunk postprocess search dashboard" and you will find a number of links to questions on Answers as well.

View solution in original post

lguinn2
Legend

I think a better solution may be to use "post-process searches" in your dashboard. Generally, the panels in a dashboard display various views of a common set of data. Figure out the base search that can drive all (or most) of the panels - which should include the macro - and then post-process the base search results for each panel.

This may give you even more efficiency than you expected!

Here is a link to the docs on Post-process searches. You can also search for "Splunk postprocess search dashboard" and you will find a number of links to questions on Answers as well.

kkas
Path Finder

Ok I came back because I found a funny way to do what I was looking for a little better.
I was able to use the dropdown and multisearching tool to store results. I used the autopopulate tool that allows you to input a search and populate the dropdown variables with the search results. You can then use that multisearch/dropdown's token anywhere in the code unlike post processing where it requires the search to be front end based.
The multiselect tool was coded as follows for future reference

<input type="multiselect" searchWhenChanged="true" token="comp">
      <label>Select ComputerName's to Assess</label>
      <default>All</default>
      <search>
        <query>sourcetype="Alpha" Account_Name=$netID$ earliest=$field1.earliest$ latest=$field1.latest$|stats count(ComputerName) by ComputerName</query>
      </search>
      <choice value="*">All</choice>
      <valuePrefix>ComputerName=</valuePrefix>
      <delimiter> OR </delimiter>
      <fieldForLabel>ComputerName</fieldForLabel>
      <fieldForValue>ComputerName</fieldForValue>
    </input>
0 Karma

daishih
Path Finder

I tried to duplicate this but the multi select search never finishes for me it just spins 😞 I ran the search in the main splunk search and it returns results just fine. Help?

0 Karma

arorajagmeet
Explorer

Very nice solution kkas. Simple and non-intrusive.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...