How can link to and run a Splunk search from our inhouse developed firstline support system?
I have a search that looks like this:
"host="10.zz.yy.11" OR host="10.xx.zz.12" order_id="XXXXXX" | transaction order_id"
Our support personel finds the order_id in the support system and now they have to copy the orderid, login to splunk, type in the search, paste the orderid, run the search. I would like to just add a link in the support system that open a new window where the results of the search is shown. What is the best way to do this?
// Andreas
You can
http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue
. To be strict about it, the entire query savedsearch myparam=myparamvalue
needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline
, e.g., you could use search/charting
Update. Example stripped-down view you could use instead of flashtimeline or charting:
<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Chart</label>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">3</param>
</module>
<module name="FlashChart" layoutPanel="panel_row1_col1">
<param name="width">100%</param>
<param name="height">100%</param>
</module>
</view>
Did gkanapathy mean: http://splunkurl/app/search/flashtimeline?q=savedsearch
or
http://splunkurl/app/search/flashtimeline?s=savedsearch
Are you ok with using Reports? Or would that be too much work...
I mean q=
which will invoke the savedsearch
command, but i forgot to put in the name of the saved search, but I'm correcting that. the other s=
will invoke the savedsearch named, but you can't pass parameters with it
You can
http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue
. To be strict about it, the entire query savedsearch myparam=myparamvalue
needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline
, e.g., you could use search/charting
Update. Example stripped-down view you could use instead of flashtimeline or charting:
<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Chart</label>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">3</param>
</module>
<module name="FlashChart" layoutPanel="panel_row1_col1">
<param name="width">100%</param>
<param name="height">100%</param>
</module>
</view>
Yes, but you'd have to create such a view yourself. It would actually be a very simple view. I have updated above with an example that would render as a chart, but you could make a similar one with a table, etc.
Is it possible to send it to a view were I only see the results and not the menu, timeline and the fields?
Are you looking for a way to do this in the context of the Splunk GUI, or do you want to go through the search API and have the results returned for your display within your existing system?
I just want something up and running quickly so I will use Splunks UI right now. In a later stage I might use the API.