Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Applying form input to Savedsearch results

sranga
Path Finder
‎05-26-2010 10:23 PM

Hi

I have a saved-search (my_search) that is configured to run every 30 minutes. It gathers aggregate data from the past 7 days.

I have a form that has one input field. Based on the the input field value from this form, I would like to filter the results of my saved-search. I currently have this setup as: 

<form>
  <label>Test</label>
  <fieldset>
    <input type="dropdown" token="field1">
      <label>Field</label>
      <choice value="1">A value</choice>
      <choice value="2">Another value</choice>
      <choice value="3">Second value</choice>
    </input>
  </fieldset>
  <row>
    <chart>
      <searchTemplate>| savedsearch "my_search" | search $field1$ | timechart count by field2 </searchTemplate>
      <title>My Chart</title>
    </chart>
  </row>
</form>

When I access the chart, a new query is issued based on the field1 value. Is there a way to force the chart to use the "saved" results from the previous run of the search and then apply the filter rather than issuing a new query every time I access the chart?

Thanks for your help.

Ranga

Tags (2)
Reply

Lowell
Super Champion
‎05-26-2010 11:03 PM

Per the docs:

Runs a saved search, possibly cached by disk. Also, performs macro replacement.

So it sounds like this should happen for you automatically.

I'm assuming that your scheduled saved search has already run previously, correct? I've run into issues like that before, which ended up just being timing related. You should be able to see previous runs in the job viewer (or in the dispatch directory on the server). You may want to also double check your permissions settings.

What happens if your run the search | savedsearch "my_search" interactively?

The other more complicated approach would be to switch to advanced XML (ugh) and use the HiddenSavedSearch and set the useHistory parameter to True. Then use a HiddenPostProcess module to do your post-processing search to do your form-level filtering.

Hopefully the first works.

Update. I was curious about the phrase "performs macro replacement", so I asked about it here: What is macro replacement in a saved search?. While a useful feature, It doesn't appear to be what's going on here (based on the search given in the posted XML). And in fact (as gkanapathy points out) using macro replacement will prevent your saved search from being cached because the search changes based on those macro values.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-28-2010 02:55 PM

And your saved search above does not use a macro replacement, so as long as it's scheduled, it should use the saved artifact from the last run.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-28-2010 03:50 AM

A saved search with a macro replacement call will not use a cache.

0 Karma
Reply

sranga
Path Finder
‎05-27-2010 09:02 PM

Thanks. I was wondering how the macro-replacement should be specified in a saved search. This saved-search runs on a schedule. Should some value be specified as a default for the macro definition?

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...