I thought this would be an easy one. I have a simple XML dashboard that I'm converting to advanced XML because I need give the user the choice of timeframe. Simple XML can't handle this because I insist on using saved searches. There's too many events to run them in real time. So, I have a Pulldown module for the the time range drop down (This month, Last month, Two months ago, etc) and I have a SavedSearch module where I need the "name" to be parameterized. The obvious attempt failed:
My idea was to have a separate saved search for each month named like so: JobDistribution, JobDistribution1MonthAgo, JobDistribution2MonthAgo, etc. "viewmonth" is the name of the Pulldown where its values are "", "1MonthAgo", etc. The substitution is not happening and Splunk tells me it can't find the saved search "JobDistribution$view_month$".
Can the name of the search be parameterized?
Splunk 5.0.14 & SideviewUtils 2.2.2
So what you are saying is this: I have multiple scheduled saved_searches running in the background; each has a different time range. Users need to pick a timerange and then Splunk should present the proper results.
You do not need to use advanced XML to accomplish this. You can use simple XML.
Provide a drop-down list with the time choices
<choice value="1">Last month</choice <choice value="2">Last 2 months</choice> ...etc...
Then set tokens to capture the value selected.
<condition value="1"> <set token="LastMonth">1</set> </condition> ...etc...
Finally, create a panel and control which of the saved search results appears:
<panel> <chart depends="$LastMonth$"> <search ref="saved_search_number_1"> </chart> <chart depends="...> <search ref="saved_search_number_2"> </chart> </panel>
I found an old post with a possible solution: https://answers.splunk.com/answers/39664/dynamic-saved-search-foo-substitution.html
But for some reason it doesn't quite work. When I run the saved search using "loadjob" from the search bar in Splunk it looks correct. When I embed it in a Search module it mangles the series so that the X axis is no longer time but one of the field's output. This is my search module:
<module name="Search" layoutPanel="panel_row2_col1" autoRun="False"> <param name="search">| loadjob savedsearch="xxx:search:JobDistribution$view_month$"</param> <module name="HTML"> <param name="html"><![CDATA[<div style="font-weight:bold; color:green">Job Distribution</div>]]></param> <module name="HiddenChartFormatter"> <param name="charting.axisTitleY.text">Job Count</param> <param name="charting.legend.placement">bottom</param> <param name="charting.chart">line</param> <param name="charting.axisTitleX.text"></param> <param name="charting.axisLabelsX.majorUnit">P0Y0M1DT0H0M0S</param> <module name="FlashChart" /> </module> </module> </module>
The $view_month$ param substitution works fine. The chart however is a mess... trying to include an image on this post...
See my answer for the more root-cause level answer. But here I think the loadjob problem may fall under loadjob's finickiness. Specifically it may be reordering the fields a bit. Are there still _time and _span fields? It Splunk's charting framework doesn't see both of those, then it will fall back from time axis to a plain categorical axis.
That makes sense. I'll try to refactor my search to see if that helps. But if loadjob can't guarantee field order then I suppose my only choice is to switch over to real time searches and let the users wait. Thanks!
The root cause here, is that the Sideview SavedSearch module actually does its work as the page is loaded. So it has no way to load the saved search more dynamically after the page is loaded, which is why it doesn't support $foo$ tokens in the saved search name.
So you do have to use the
loadjob command, which can be quite finicky.
This root cause is fixed in Canary (where the SavedSearch module does all it's work after the page is loaded) but that doesn't help you because it's not released yet, and because it won't be supported on 5.X either.
One more sort of top-level warning about this area - Watch out that the "HiddenSavedSearch" module is a Splunk module from about 2008/2009, whereas the Sideview replacement is just called "SavedSearch"
You can use the
|loadjob approach but you need to EITHER:
|savedsearch instead OR
Pass the search results back through
timechart once more so that the dashboard render code knows to do the special
timechart-foo (which is obscured when you do
loadjob). To try this, just add this to the end of the
loadjob search command:
|loadjob ... | untable _time thingies count | timechart avg(count) AS count BY thingies
You may need to hard-code a
span=<something> to match what is in the original search's
timechart command to make it match exactly.