Reporting

Pass form field values to saved searches

sranga
Path Finder

Hi

I have a dynamic form that displays a chart. I was wondering if the following is possible:

1) Execute a "Saved Search" to populate the values for one of the form field's (dropdown) list. I tried using populatingSavedSearch and it does not work [see example below]
2) Execute the search for populating the chart in a schedule. I can do this for static searches. Since I have a need to pass in form field values to the search, this needs to work for dynamic searches. Can I replace the searchTemplate [see example below] with a searchName? If not, is there another way to specify running the search on a schedule?

Example configuration (does not work😞

<form>  
  <label>Saved Search</label>  
  <fieldset>  
    <input type="dropdown" token="id">
      <label>ID</label>
      <prefix>id="</prefix>
      <suffix>"</suffix>
      <populatingSavedSearch fieldForValue="idname" fieldForLabel="idname">saved_values
      </populatingSavedSearch>  
    </input>
    <input type="time" />
  </fieldset>
  <row>
    <chart>
      <searchTemplate>`summary` | search $id$</searchTemplate>
      <title>My Dynamic Saved Search</title>
    </chart>
  </row>  
</form>  

saved_values:

index="list_app" | top limit=0 idname | fields + idname | sort idname

summary:

index="my_app" source="test*"

Thanks for your help.

Ranga

thall79
Communicator

Ok if I am reading this correctly are you wanting a savedsearch to populate a drop down box. Then from that drop down box you want to make a selection to generate a chart.

Have you tried using a SearchSelectLister:

http://www.splunk.com/base/Documentation/4.1.1/Developer/ModuleReference#SearchSelectLister

http://www.splunk.com/base/Documentation/4.1.1/Developer/HowToUseListers#SearchSelectLister

Then you could set the dashboard to refresh every X amount seconds and it will generate new data.

Travis.

thall79
Communicator

Everything on the Dashboard would be refreshed at X time. In my main dashboard I begin my XML like this to refresh everything every 10 minutes:

Here is example of SearchSelectLister that I used for awhile, but rebuilt it using field searches and a LinkSwitcher which works better for my views.

http://www.splunk.com/support/forum:SplunkDev/3806

Travis.

0 Karma

sranga
Path Finder

Thanks. Yes, the problem statement you described is what I want. I shall look into the SearchSelectLister module. Would this result in the "default" value search being run every so often or would it actually run the search for all of the values in the list every X amount of time?

0 Karma

sranga
Path Finder

I've added the saved_values and summary search/search macros to the original question (above). As for the scheduled search, I was wondering if a dynamic search could be scheduled to run the search for all of the values in the input list periodically.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Also, I don't understand what you mean when you say you want to run a search on a schedule, but also allow a user to dynamically populate in one of the (required, I would think) parameters of the search.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

you need to show us the definition of the saved_values saved search, as well as probably some of the data or output of the search. incidentally, and this isn't fundamental to your UI issue, your searchTemplate should be source="test*" AND $id$, not using the search operator unnecessarily.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...