I have a dashboard with pulldown menu and I want to call different saved searches depending upon the selection.
Is there a way
1. to pass parameters to a saved search
2. Have an if else condition in the dashboard xml to call 2 different saved searches based on the selection
It sounds like you don't simply want each option in the Pulldown to run its own distinct saved-search, but rather something where options 1-10 trigger savedsearch X, and 11-20 trigger savedsearch Y. Can you confirm? Either way it is possible but the answers would be quite different.
This is my scenario.. Pulldown will have span like 5mins, 1 hr etc.
Depending upon the span selected, I need to trigger a saved search with span 5 mins or 1 hr. The saved search remains the same except for the span selected.
Please let me know how I can do that.
Thanks in advance!
There are multiple ways to do this. You can pass a parameter across to the saved search or you can use an eval based macro which switches out the time range based on the selected options.
I'm sorry gpanicker - can you describe a little more? Do you mean that your Pulldown will have precisely two entries, one that is a 5min span, and one a 1hr span? In which case each Pulldown option maps to one specific savedsearch? Also do you just need to run the savedsearches then and there, or do you want to potentially access the search results run previously by the savedsearch scheduler?
You can go into Manager -> User Interface -> Views and create a view which will appear in the views menu in search. You can put your search in the view, then have the view have a pulldown menu that goes to a default time or lets you pick a time. But you have to work in xml to do this. There is some splunk documentation on using a view.
what you want is a Switcher Module, you can find the instructions and sample code if you install the app Splunk Dashboards Examples
Then, you can start by taking a look at the view called "switcher1"
Switcher is a good tool to solve this problem, but Switcher is a Sideview module, part of Sideview Utils, and it is not a Splunk module. The Dashboard Examples app deals only with core Splunk modules. What you want instead is the Sideview Utils app, and to get Switcher you'll have to get the latest version which is only available from the Sideview website. http://sideviewapps.com/apps/sideview-utils