Solved: Question Regrading savedsearch

jangid · ‎08-29-2012

When I issue following command I'll get some result

savedsearch=list_ini

but If I issue below command I didn't get any result

savedsearch list_ini

Here is my savedsearch.conf in default directory

[list_ini]
is_visible = false
search = sourcetype=ini

Similarly If I use savedsearch command in Advanced XML I'am getting following error.

The saved search transaction_success_telnet cannot run as part of a search as it contains non search commands. Please use the savedsearch command.

Here is the saved search for transaction_success_telnet

[transaction_success_telnet]
is_visible = false
search = sourcetype="LOG" COUNTERS | streamstats first(OFS_SourceType) as OFS_SourceType, last(AUTHORISER) as AUTHORISER, last(DATE_TIME) as DATE_TIME, last(INPUTTER) as INPUTTER, last(CURR_NO) as CURR_NO | table MessageID, OFS_SourceType, AUTHORISER, DATE_TIME, INPUTTER, CURR_NO | where  OFS_SourceType="TELNET"

Advanced XML

   .....
    .....
    <param name="staticFieldsToDisplay">
            <list>
                <param name="value">savedsearch=transaction_success_session</param>
                <param name="label">SESSION</param>
            </list>
            <list>
            <param name="value">savedsearch=transaction_success_batch</param>
              <param name="label">BATCH</param>
            </list>
            <list>
                <param name="value">savedsearch=transaction_success_globus</param>
                <param name="label">GLOBUS</param>
            </list>
            <list>
            <param name="value">savedsearch=transaction_success_telnet</param>
              <param name="label">TELNET</param>
            </list>
          </param>
        ........
        ........

can anyone tell me what is right way to use savedsearch in advanced xml?

jonuwz · ‎08-29-2012

You invoke saved searches in the search bar like this :

| savedsearch "Top five sourcetypes"

(note the pipe at the front)

From the look of your XML snippet, you want the user to be able to select from a list of saved searches. If you want the search to run now, and not use cached events (i.e. your saved search is not scheduled - the syntax of your question implies this)

You could do something like this :

<?xml version="1.0"?>
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Example</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="StaticSelect" layoutPanel="mainSearchControls">
    <param name="label">search </param>
    <param name="settingToCreate">search_selecter</param>
    <param name="searchWhenChanged">True</param>
    <param name="staticFieldsToDisplay">
      <list>
        <param name="value">Errors in the last hour</param>
        <param name="label">Latest errors</param>
      </list>
      <list>
        <param name="value">Top five sourcetypes</param>
        <param name="label">Top Sourcetypes</param>
      </list>
    </param>
    <module name="ConvertToIntention">
      <param name="settingToConvert">search_selecter</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
          <param name="selected_search">
            <param name="fillOnEmpty">True</param>
            <param name="prefix">"</param>
            <param name="suffix">"</param>
            <param name="value">$target$</param>
          </param>
        </param>
      </param>
      <module name="HiddenSearch">
        <param name="search">| savedsearch $selected_search$</param>
        <module name="SubmitButton" layoutPanel="mainSearchControls">
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1"/>
        </module>
      </module>
    </module>
  </module>
</view>

Retrieving cached data from a scheduled search, chosen from a drop down list, is altogether more difficult.

View solution in original post

jonuwz · ‎08-29-2012

You invoke saved searches in the search bar like this :

| savedsearch "Top five sourcetypes"

(note the pipe at the front)

From the look of your XML snippet, you want the user to be able to select from a list of saved searches. If you want the search to run now, and not use cached events (i.e. your saved search is not scheduled - the syntax of your question implies this)

You could do something like this :

<?xml version="1.0"?>
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Example</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="StaticSelect" layoutPanel="mainSearchControls">
    <param name="label">search </param>
    <param name="settingToCreate">search_selecter</param>
    <param name="searchWhenChanged">True</param>
    <param name="staticFieldsToDisplay">
      <list>
        <param name="value">Errors in the last hour</param>
        <param name="label">Latest errors</param>
      </list>
      <list>
        <param name="value">Top five sourcetypes</param>
        <param name="label">Top Sourcetypes</param>
      </list>
    </param>
    <module name="ConvertToIntention">
      <param name="settingToConvert">search_selecter</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
          <param name="selected_search">
            <param name="fillOnEmpty">True</param>
            <param name="prefix">"</param>
            <param name="suffix">"</param>
            <param name="value">$target$</param>
          </param>
        </param>
      </param>
      <module name="HiddenSearch">
        <param name="search">| savedsearch $selected_search$</param>
        <module name="SubmitButton" layoutPanel="mainSearchControls">
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1"/>
        </module>
      </module>
    </module>
  </module>
</view>

Retrieving cached data from a scheduled search, chosen from a drop down list, is altogether more difficult.

Question Regrading savedsearch

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor