Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Applying form input to Savedsearch results

sranga
Path Finder
‎05-26-2010 10:23 PM

Hi

I have a saved-search (my_search) that is configured to run every 30 minutes. It gathers aggregate data from the past 7 days.

I have a form that has one input field. Based on the the input field value from this form, I would like to filter the results of my saved-search. I currently have this setup as: 

<form>
  <label>Test</label>
  <fieldset>
    <input type="dropdown" token="field1">
      <label>Field</label>
      <choice value="1">A value</choice>
      <choice value="2">Another value</choice>
      <choice value="3">Second value</choice>
    </input>
  </fieldset>
  <row>
    <chart>
      <searchTemplate>| savedsearch "my_search" | search $field1$ | timechart count by field2 </searchTemplate>
      <title>My Chart</title>
    </chart>
  </row>
</form>

When I access the chart, a new query is issued based on the field1 value. Is there a way to force the chart to use the "saved" results from the previous run of the search and then apply the filter rather than issuing a new query every time I access the chart?

Thanks for your help.

Ranga

Tags (2)
Reply

Lowell
Super Champion
‎05-26-2010 11:03 PM

Per the docs:

Runs a saved search, possibly cached by disk. Also, performs macro replacement.

So it sounds like this should happen for you automatically.

I'm assuming that your scheduled saved search has already run previously, correct? I've run into issues like that before, which ended up just being timing related. You should be able to see previous runs in the job viewer (or in the dispatch directory on the server). You may want to also double check your permissions settings.

What happens if your run the search | savedsearch "my_search" interactively?

The other more complicated approach would be to switch to advanced XML (ugh) and use the HiddenSavedSearch and set the useHistory parameter to True. Then use a HiddenPostProcess module to do your post-processing search to do your form-level filtering.

Hopefully the first works.

Update. I was curious about the phrase "performs macro replacement", so I asked about it here: What is macro replacement in a saved search?. While a useful feature, It doesn't appear to be what's going on here (based on the search given in the posted XML). And in fact (as gkanapathy points out) using macro replacement will prevent your saved search from being cached because the search changes based on those macro values.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-28-2010 02:55 PM

And your saved search above does not use a macro replacement, so as long as it's scheduled, it should use the saved artifact from the last run.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-28-2010 03:50 AM

A saved search with a macro replacement call will not use a cache.

0 Karma
Reply

sranga
Path Finder
‎05-27-2010 09:02 PM

Thanks. I was wondering how the macro-replacement should be specified in a saved search. This saved-search runs on a schedule. Should some value be specified as a default for the macro definition?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...