Developing for Splunk Enterprise

Link and pass parameter to saved search?

Path Finder

How can link to and run a Splunk search from our inhouse developed firstline support system?

I have a search that looks like this:

"host="10.zz.yy.11" OR host="10.xx.zz.12" order_id="XXXXXX" | transaction order_id"

Our support personel finds the order_id in the support system and now they have to copy the orderid, login to splunk, type in the search, paste the orderid, run the search. I would like to just add a link in the support system that open a new window where the results of the search is shown. What is the best way to do this?

// Andreas

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

View solution in original post

Path Finder

Did gkanapathy mean: http://splunkurl/app/search/flashtimeline?q=savedsearch

or

http://splunkurl/app/search/flashtimeline?s=savedsearch

Are you ok with using Reports? Or would that be too much work...

0 Karma

Splunk Employee
Splunk Employee

I mean q= which will invoke the savedsearch command, but i forgot to put in the name of the saved search, but I'm correcting that. the other s= will invoke the savedsearch named, but you can't pass parameters with it

0 Karma

Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

View solution in original post

Splunk Employee
Splunk Employee

Yes, but you'd have to create such a view yourself. It would actually be a very simple view. I have updated above with an example that would render as a chart, but you could make a similar one with a table, etc.

0 Karma

Path Finder

Is it possible to send it to a view were I only see the results and not the menu, timeline and the fields?

0 Karma

Path Finder

Are you looking for a way to do this in the context of the Splunk GUI, or do you want to go through the search API and have the results returned for your display within your existing system?

0 Karma

Path Finder

I just want something up and running quickly so I will use Splunks UI right now. In a later stage I might use the API.

0 Karma