Splunk Dev

Link and pass parameter to saved search?

andyk
Path Finder

How can link to and run a Splunk search from our inhouse developed firstline support system?

I have a search that looks like this:

"host="10.zz.yy.11" OR host="10.xx.zz.12" order_id="XXXXXX" | transaction order_id"

Our support personel finds the order_id in the support system and now they have to copy the orderid, login to splunk, type in the search, paste the orderid, run the search. I would like to just add a link in the support system that open a new window where the results of the search is shown. What is the best way to do this?

// Andreas

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

View solution in original post

mayler
Path Finder

Did gkanapathy mean: http://splunkurl/app/search/flashtimeline?q=savedsearch

or

http://splunkurl/app/search/flashtimeline?s=savedsearch

Are you ok with using Reports? Or would that be too much work...

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I mean q= which will invoke the savedsearch command, but i forgot to put in the name of the saved search, but I'm correcting that. the other s= will invoke the savedsearch named, but you can't pass parameters with it

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

gkanapathy
Splunk Employee
Splunk Employee

Yes, but you'd have to create such a view yourself. It would actually be a very simple view. I have updated above with an example that would render as a chart, but you could make a similar one with a table, etc.

0 Karma

andyk
Path Finder

Is it possible to send it to a view were I only see the results and not the menu, timeline and the fields?

0 Karma

cpenkert
Path Finder

Are you looking for a way to do this in the context of the Splunk GUI, or do you want to go through the search API and have the results returned for your display within your existing system?

0 Karma

andyk
Path Finder

I just want something up and running quickly so I will use Splunks UI right now. In a later stage I might use the API.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...