Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass form field values to saved searches

sranga
Path Finder
‎04-19-2010 06:25 PM

Hi

I have a dynamic form that displays a chart. I was wondering if the following is possible:

1) Execute a "Saved Search" to populate the values for one of the form field's (dropdown) list. I tried using populatingSavedSearch and it does not work [see example below]
2) Execute the search for populating the chart in a schedule. I can do this for static searches. Since I have a need to pass in form field values to the search, this needs to work for dynamic searches. Can I replace the searchTemplate [see example below] with a searchName? If not, is there another way to specify running the search on a schedule?

Example configuration (does not work😞 

<form>  
  <label>Saved Search</label>  
  <fieldset>  
    <input type="dropdown" token="id">
      <label>ID</label>
      <prefix>id="</prefix>
      <suffix>"</suffix>
      <populatingSavedSearch fieldForValue="idname" fieldForLabel="idname">saved_values
      </populatingSavedSearch>  
    </input>
    <input type="time" />
  </fieldset>
  <row>
    <chart>
      <searchTemplate>`summary` | search $id$</searchTemplate>
      <title>My Dynamic Saved Search</title>
    </chart>
  </row>  
</form>

saved_values:

index="list_app" | top limit=0 idname | fields + idname | sort idname

summary:

index="my_app" source="test*"

Thanks for your help.

Ranga

Reply

thall79
Communicator
‎04-20-2010 06:24 PM

Ok if I am reading this correctly are you wanting a savedsearch to populate a drop down box. Then from that drop down box you want to make a selection to generate a chart.

Have you tried using a SearchSelectLister:

http://www.splunk.com/base/Documentation/4.1.1/Developer/ModuleReference#SearchSelectLister

http://www.splunk.com/base/Documentation/4.1.1/Developer/HowToUseListers#SearchSelectLister

Then you could set the dashboard to refresh every X amount seconds and it will generate new data.

Travis.

Reply

thall79
Communicator
‎04-20-2010 09:18 PM

Everything on the Dashboard would be refreshed at X time. In my main dashboard I begin my XML like this to refresh everything every 10 minutes:

Here is example of SearchSelectLister that I used for awhile, but rebuilt it using field searches and a LinkSwitcher which works better for my views.

http://www.splunk.com/support/forum:SplunkDev/3806

Travis.

0 Karma
Reply

sranga
Path Finder
‎04-20-2010 08:16 PM

Thanks. Yes, the problem statement you described is what I want. I shall look into the SearchSelectLister module. Would this result in the "default" value search being run every so often or would it actually run the search for all of the values in the list every X amount of time?

0 Karma
Reply

sranga
Path Finder
‎04-20-2010 03:54 PM

I've added the saved_values and summary search/search macros to the original question (above). As for the scheduled search, I was wondering if a dynamic search could be scheduled to run the search for all of the values in the input list periodically.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-20-2010 12:39 AM

Also, I don't understand what you mean when you say you want to run a search on a schedule, but also allow a user to dynamically populate in one of the (required, I would think) parameters of the search.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-20-2010 12:37 AM

you need to show us the definition of the saved_values saved search, as well as probably some of the data or output of the search. incidentally, and this isn't fundamental to your UI issue, your searchTemplate should be source="test*" AND $id$, not using the search operator unnecessarily.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...