Is it possible to run the search of a dashboard by using its ID?
Also, can I add fields to the search above? I.e. if a dashboard conducts this search:
(index="mysource" earliest=-264h latest=now())
| eval metric=case(index="mysource", '_time')
Can I do something like:
search $dashboard_id$ = 'my_dashboard'
| eval Timestamp=strftime(now(),"%d/%m/%Y %H:%M:00")
| table A1 A2 Timestamp
I.e. append additional code?
Edit the dashboard then click the Source button to view the XML. Use the examples in the link above as a guide to create a base search and then turn the later search into a post-processing search (by using the 'base=' option to refer to the base search).
@richgalloway mm unfortunately it does not work. I am not the author of the dashboard that's why I am struggling.
If I click to Edit the dashboard, it only offers to either Clone it or make it a Home Dashboard.
I clicked to Clone and then checked the source and it is completely empty.
Is there a way to create a search by the $dashboard.label$ of the dashboard and can you provide a sample syntax please? Without knowing its source/XML or being able to edit it? I only want to run it periodically to get alerts.
Sorry, my answers assume you own the dashboard in question. If you're not the owner then cloning the dashboard should have worked. I don't understand why a working dashboard would clone into something completely empty.
If you have the right permissions then a REST query may help.
| rest /services/data/ui/views/<<name of the dashboard>> | table title data
@richgalloway thanks but is there a way to check if I have Rest access? I am only a user not a dev. Also, can you provide please the complete syntax based on my main url? I tried some starting uris but they resulted in 404. My main url is https://mysite.splunkcloud.com/en-US/app/myapp/mydashboard
If you run a REST command and it works then you have access. Contact your Splunk admin to check or to get access.
The complete syntax is in the answer above. If you also need the CLI command try this:
curl -k https://mysite.splunkcloud.com/services/data/ui/views/mydashboard
I 'm not sure, but I it may be because you don't have access. Check the internal logs (or have your admin do it) to see if there's an explanation there.
You can accomplish the same goal by using a base search and post-processing. See https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/Savedsearches#Post-process_searches