Dashboards & Visualizations

Override basesearch saved search with timerange token and convert to inline

Contributor

Hi
I like the simple xml post process and how fast it is when filtering data on a savedsearch.

However, on my dashboard, sometimes i want to override the saved search and expand the time range.

Is there any way to override saved search timerange and execute an inline search on the basesearch? This view is using simple xml postprocess and timerange button. Can a time token manually override the basesearch query?

fieldset submitButton="false">
    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>

     <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>

  </fieldset>
      <search id="BaseSearch1" ref="ALERTcht"></search>
  <row>
    <panel>

      <table>
        <title>TEST</title>
        <search base="BaseSearch1">
          <query>
            <![CDATA[| search host="*$FindHost$*" ]]>
          </query>
        </search>
        <option name="displayRowNumbers">true</option>
        <option name="height">300px</option>
        <option name="wrap">false</option>
        <option name="earliest">$field1$</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">100</option>
        <option name="refresh.auto.interval">300</option>
        <format type="sparkline" field="TREND">
          <option name="type">bar</option>
          <option name="height">20px</option>
          <!-- Use colorMap to map specific values to selected colors -->
          <option name="colorMap">
            <option name="1:">#FF0000</option>
            <option name=":0">#9ac23c</option>
          </option>
          <option name="barWidth">5px</option>
        </format>
      </table>
    </panel>
  </row>
  <row>
0 Karma
1 Solution

SplunkTrust
SplunkTrust

It can. Just update the base search portion with this

Replace

 <search id="BaseSearch1" ref="ALERTcht"></search>

With

 <search id="BaseSearch1" ref="ALERTcht">
    <earliest>$field1.earliest$</earliest>
    <latest><$field1.latest$</latest>
</search>

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

It can. Just update the base search portion with this

Replace

 <search id="BaseSearch1" ref="ALERTcht"></search>

With

 <search id="BaseSearch1" ref="ALERTcht">
    <earliest>$field1.earliest$</earliest>
    <latest><$field1.latest$</latest>
</search>

View solution in original post

0 Karma

Contributor

Thanks -

Good news: is it makes the panels refresh when i choose a time.

Bad news: The charts still display the time defined in the 'Start time' and 'Finish time' under 'Time range' settings in the saved search form.

The underlying query in the saved search does not have earliest=-1h@h latest=now

<fieldset submitButton="false">

    <input type="text" token="FindHost" searchWhenChanged="true">
      <label>HOST FILTER</label>
      <default></default>
    </input>


    <input type="time" token="field1">
      <label>Timerange Under Development</label>
    </input>    
  </fieldset>  


  <search id="BaseSearch1" ref="ALERTcht">
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>  
  </search>
0 Karma

SplunkTrust
SplunkTrust

Ok.. Lets try another option. Update your base search with this now.

 <search id="BaseSearch1" >
<query>| savedsearch  ALERTcht </query>
     <earliest>$field1.earliest$</earliest>
     <latest><$field1.latest$</latest>
 </search>
0 Karma

Contributor

That works, however the default savedsearch is "waiting for input" until timerange is selected. Its no longer instantly loading the savedsearch history.

   <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest></earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <search id="BaseSearch1" ref="ALERTcht">
    <query>| savedsearch ALERTcht</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>
0 Karma

Contributor

standby, it might be working properly. testing.

0 Karma

Contributor

I don't think its using the scheduled search history - I'll live with it for now.

0 Karma

SplunkTrust
SplunkTrust

It won't. ALso, if you're looking for flexibility to change the time range, the historical run wouldn't be useful anyways.

0 Karma

Contributor

Understood...

The idea would be to have the dashboard refresh every 5 minutes in monitor mode by using the scheduled search history. And if a user changes the timerange selector it goes into inline mode.

I guess I could have two dashboards, one for monitoring and one for historical research..

Either way, appreciate your help.

0 Karma