Splunk Search

Append to existing search

Benomran
Explorer

I have a long search that is 4 rows, however the only dynamic portion is the first row. I would like to automatically append the remaining 3 static rows to the search. I couldn't not find documentation on this.

Simple Example below:

The user will run this search within the search bar:

index=_internal source=*metrics.log group=pipeline

However I would like the following to automatically be added (in the background within the Advance XML file):

| stats sum(cpu_seconds) as count by name | fields count, name

Thank you in Advance

1 Solution

sideview
SplunkTrust
SplunkTrust

This is very similar to the question and my answer over here -- http://splunk-base.splunk.com/answers/57634/can-you-use-a-searchbar-and-a-hiddensearch

Ordinarily you would use a HiddenSearch module and a form element module like SearchBar, and then with an 'intention' somewhere along the way that's how you would combine the two search fragments into a single search that gets run.

However you can't use the SearchBar module itself for this because the SearchBar module is built so that it writes the entire search string from start to finish. This leaves no opportunity for anything else to play with the other elements of that search.

[Well.... technically if the user remembered to always have $restOfSearch$ at the end of the string they were typing, then you could use a stringreplace intention to plug in the rest and then it could work. But if the user deleted that from the end they'd get an error. And this is silly because you could have done the same thing effectively just with a restOfSearch macro. ]

So.... solutions.

1) You can use the TextSetting module instead of SearchBar. Then you have TextSetting, HiddenSearch and ConvertToIntention and you plug a stringreplace intention into the ConvertToIntention module. You can see the UI Examples app for guidance here. However the TextSetting module is designed to only be a small form element. You'd have to then also give it a null-valued label param and then use some custom CSS to give it a much wider width, and then you'd have to live without all the fancy stuff that SearchBar does like expanding automatically for multiline searches and showing the user contextual help and autocomplete information.

However, what I recommend is:

2) If you download the Sideview Utils app and use it in your view, it's actually pretty easy to do what you're asking.

a) You would install the Sideview Utils app from the Sideview site ( http://sideviewapps.com/apps/sideview-utils/ ), restart Splunk.

b) Then you'd put the SideviewUtils module in at the top like so:

<module name="SideviewUtils" layoutPanel="appHeader" />

c) and lastly, here's a simple example of how the SearchBar and the Search module to do what you're asking.

<module name="SearchBar" layoutPanel="splSearchControls-inline">
  <param name="useAssistant">true</param>
  <param name="useTypeahead">true</param>

  <module name="Search">
    <param name="search">$searchBar$ | stats sum(cpu_seconds) as count by name | fields count, name</param>
  </module>
</module>

Sideview Utils does a great number of little things to augment, extend and improve the ui systems. One of those things is that the SearchBar module is patched so that it does output a simple token ($searchBar$), and another of those things is that Sideview Utils and it's "Search" module remove the need for intentions entirely.

You can find tons of information, documentation, tutorials and working examples in the Sideview Utils app itself.

View solution in original post

spongmob
Explorer

I'm currently having difficulties with this issue. I have a SearchBar module that passes a value down to a search module. However, I can't find the $searchBar$ token. Instead, the search displays within the $search$ token. Additionally, any search that occurs after the searchbar module is overridden by the initial searchbar search.



true
true
False

$searchBar$ | eval _raw=if(isnull(_raw), "placeholder", _raw)

$searchBar$

sideview
SplunkTrust
SplunkTrust

Are you saying that $searchBar$ in that HTML module and in the Search module comes out null even when the user types something into the SearchBar module and hits return? That would be very strange. Can you post the full XML on pastebin?

0 Karma

sideview
SplunkTrust
SplunkTrust

This is very similar to the question and my answer over here -- http://splunk-base.splunk.com/answers/57634/can-you-use-a-searchbar-and-a-hiddensearch

Ordinarily you would use a HiddenSearch module and a form element module like SearchBar, and then with an 'intention' somewhere along the way that's how you would combine the two search fragments into a single search that gets run.

However you can't use the SearchBar module itself for this because the SearchBar module is built so that it writes the entire search string from start to finish. This leaves no opportunity for anything else to play with the other elements of that search.

[Well.... technically if the user remembered to always have $restOfSearch$ at the end of the string they were typing, then you could use a stringreplace intention to plug in the rest and then it could work. But if the user deleted that from the end they'd get an error. And this is silly because you could have done the same thing effectively just with a restOfSearch macro. ]

So.... solutions.

1) You can use the TextSetting module instead of SearchBar. Then you have TextSetting, HiddenSearch and ConvertToIntention and you plug a stringreplace intention into the ConvertToIntention module. You can see the UI Examples app for guidance here. However the TextSetting module is designed to only be a small form element. You'd have to then also give it a null-valued label param and then use some custom CSS to give it a much wider width, and then you'd have to live without all the fancy stuff that SearchBar does like expanding automatically for multiline searches and showing the user contextual help and autocomplete information.

However, what I recommend is:

2) If you download the Sideview Utils app and use it in your view, it's actually pretty easy to do what you're asking.

a) You would install the Sideview Utils app from the Sideview site ( http://sideviewapps.com/apps/sideview-utils/ ), restart Splunk.

b) Then you'd put the SideviewUtils module in at the top like so:

<module name="SideviewUtils" layoutPanel="appHeader" />

c) and lastly, here's a simple example of how the SearchBar and the Search module to do what you're asking.

<module name="SearchBar" layoutPanel="splSearchControls-inline">
  <param name="useAssistant">true</param>
  <param name="useTypeahead">true</param>

  <module name="Search">
    <param name="search">$searchBar$ | stats sum(cpu_seconds) as count by name | fields count, name</param>
  </module>
</module>

Sideview Utils does a great number of little things to augment, extend and improve the ui systems. One of those things is that the SearchBar module is patched so that it does output a simple token ($searchBar$), and another of those things is that Sideview Utils and it's "Search" module remove the need for intentions entirely.

You can find tons of information, documentation, tutorials and working examples in the Sideview Utils app itself.

sideview
SplunkTrust
SplunkTrust

Well you can display it to the user by using $searchBar$ anywhere in an HTML module. Or you can run a search using $searchBar$ anywhere in the Search module, or postprocess other search results by using $searchBar$ in the PostProcess module. However if you really need to do something that can only be done in python then you're talking about either a custom module you would write yourself, or a custom python controller? Either way is pretty far away from what we're talking about so far.

0 Karma

Benomran
Explorer

I would like to display the $searchBar$ value back to the user and perform other functions within python. The python formats & displays the results, that is why I need the $searchBar$ to get passed on to the python file. Is it possible to perform this action?

0 Karma

sideview
SplunkTrust
SplunkTrust

I'm afraid I'm not following. You don't put anything into any python file -- just put modules like SimpleResultsTable downstream from that Search module, and you'll see the results from the overall search there...

0 Karma

Benomran
Explorer

Sorry, one more thing. How would one pull the $searchBar$ value into the python file? I tried sending it as a parameter but only received it as a string, "$searchBar$".

Thank you in advance!

0 Karma

Benomran
Explorer

Awesome, the SideviewUtils worked great, thank you!
Can't wait to see what SideviewUtils 2.0 has to offer!

0 Karma

Benomran
Explorer

Yes it is a search bar!

What do you mean freeform search?

A user would only be viewing at Birdseye view while the search in the background should bring it down to street level! hope that help explaining it!

0 Karma

jonuwz
Influencer

Are you actually using a search bar, and wanting to append the addition search?

If the user can enter a freeform search string, the extra search may or may not be relevant..

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...