Dashboards & Visualizations

Override basesearch saved search with timerange token and convert to inline

subtrakt
Contributor

Hi
I like the simple xml post process and how fast it is when filtering data on a savedsearch.

However, on my dashboard, sometimes i want to override the saved search and expand the time range.

Is there any way to override saved search timerange and execute an inline search on the basesearch? This view is using simple xml postprocess and timerange button. Can a time token manually override the basesearch query?

fieldset submitButton="false">
    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>

     <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>

  </fieldset>
      <search id="BaseSearch1" ref="ALERTcht"></search>
  <row>
    <panel>

      <table>
        <title>TEST</title>
        <search base="BaseSearch1">
          <query>
            <![CDATA[| search host="*$FindHost$*" ]]>
          </query>
        </search>
        <option name="displayRowNumbers">true</option>
        <option name="height">300px</option>
        <option name="wrap">false</option>
        <option name="earliest">$field1$</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">100</option>
        <option name="refresh.auto.interval">300</option>
        <format type="sparkline" field="TREND">
          <option name="type">bar</option>
          <option name="height">20px</option>
          <!-- Use colorMap to map specific values to selected colors -->
          <option name="colorMap">
            <option name="1:">#FF0000</option>
            <option name=":0">#9ac23c</option>
          </option>
          <option name="barWidth">5px</option>
        </format>
      </table>
    </panel>
  </row>
  <row>
0 Karma
1 Solution

somesoni2
Revered Legend

It can. Just update the base search portion with this

Replace

 <search id="BaseSearch1" ref="ALERTcht"></search>

With

 <search id="BaseSearch1" ref="ALERTcht">
    <earliest>$field1.earliest$</earliest>
    <latest><$field1.latest$</latest>
</search>

View solution in original post

0 Karma

somesoni2
Revered Legend

It can. Just update the base search portion with this

Replace

 <search id="BaseSearch1" ref="ALERTcht"></search>

With

 <search id="BaseSearch1" ref="ALERTcht">
    <earliest>$field1.earliest$</earliest>
    <latest><$field1.latest$</latest>
</search>

View solution in original post

0 Karma

subtrakt
Contributor

Thanks -

Good news: is it makes the panels refresh when i choose a time.

Bad news: The charts still display the time defined in the 'Start time' and 'Finish time' under 'Time range' settings in the saved search form.

The underlying query in the saved search does not have earliest=-1h@h latest=now

<fieldset submitButton="false">

    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>


    <input type="time" token="field1">
      <label>Timerange Under Development</label>
    </input>    
  </fieldset>  


  <search id="BaseSearch1" ref="ALERTcht">
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>  
  </search>
0 Karma

somesoni2
Revered Legend

Ok.. Lets try another option. Update your base search with this now.

 <search id="BaseSearch1" >
<query>| savedsearch  ALERTcht </query>
     <earliest>$field1.earliest$</earliest>
     <latest><$field1.latest$</latest>
 </search>
0 Karma

subtrakt
Contributor

That works, however the default savedsearch is "waiting for input" until timerange is selected. Its no longer instantly loading the savedsearch history.

   <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest></earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <search id="BaseSearch1" ref="ALERTcht">
    <query>| savedsearch ALERTcht</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>
0 Karma

subtrakt
Contributor

standby, it might be working properly. testing.

0 Karma

subtrakt
Contributor

I don't think its using the scheduled search history - I'll live with it for now.

0 Karma

somesoni2
Revered Legend

It won't. ALso, if you're looking for flexibility to change the time range, the historical run wouldn't be useful anyways.

0 Karma

subtrakt
Contributor

Understood...

The idea would be to have the dashboard refresh every 5 minutes in monitor mode by using the scheduled search history. And if a user changes the timerange selector it goes into inline mode.

I guess I could have two dashboards, one for monitoring and one for historical research..

Either way, appreciate your help.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!