Splunk Search

Copy data from search results to clipboard; preserve previous search

landen99
Motivator

The results of the searches bring a lot of useful information such as hashes, ip addresses, file locations and names. Rather than re-type this information into other applications, it is quite useful to simply highlight the information and copy it to the clipboard for pasting into other locations.

Unfortunately, left-clicking and sometimes even the process of highlighting (left-click and drag) can launch a new splunk search based on whatever field it thought that I was clicking on. I would prefer to turn that functionality off altogether, but the more important point is that I lose the results of the previous search when this happens.

I would also prefer the ability to easily recall the search results without waiting for the search to execute again from the beginning. I read an article where you can find the search ID number and then input that into a chain of search commands which can pull the previous search results into a new search or simply bring them up for viewing without executing a new search, but that process seems quite inconvenient: newsearch | append loadjob oldsearchid

Is there a way to prevent the clicking action from instantly running a new search?
Is there a way to have new searches by clicking run in a new window by default?
Is there a way to pull a previous search without having to record the search number of the previous search immediately after each search? On a side note, when a new search is accidentally started while trying to copy information to the clipboard, is it possible to discover the search ID of the previous (lost) search? Is there a search history area?

Tags (1)
1 Solution

landen99
Motivator

To turn off the function to launch a new search when a field is clicked (called drilldown):
Open the Format menu (below the time graph) and set the Drilldown menu to "None".

Find previous Jobs through Activity - Jobs at the top right of the client. (Thank you, Iguinn)

I still cannot locate the function to launch a new search into its own window from the search entered into an existing search box, thus keeping a previous search in its window. The goal of such a function would be to allow an initial search to attempt a refinement, which would use the results of the previous search (like a pipe). If the new search was unsuccessful, then that new window could be closed and the previous search would be waiting in the old window for another attempt to refine the search. This would also allow one search to be piped into a table and into a stats chart and into a Visualization all separately while only running the initial search parameters once.

The search ID (sid) may be found easily from the last element in the url or from the Inspect function found in the Activity-Jobs history page or by using the Search Job Inspector.

View solution in original post

landen99
Motivator

To turn off the function to launch a new search when a field is clicked (called drilldown):
Open the Format menu (below the time graph) and set the Drilldown menu to "None".

Find previous Jobs through Activity - Jobs at the top right of the client. (Thank you, Iguinn)

I still cannot locate the function to launch a new search into its own window from the search entered into an existing search box, thus keeping a previous search in its window. The goal of such a function would be to allow an initial search to attempt a refinement, which would use the results of the previous search (like a pipe). If the new search was unsuccessful, then that new window could be closed and the previous search would be waiting in the old window for another attempt to refine the search. This would also allow one search to be piped into a table and into a stats chart and into a Visualization all separately while only running the initial search parameters once.

The search ID (sid) may be found easily from the last element in the url or from the Inspect function found in the Activity-Jobs history page or by using the Search Job Inspector.

lguinn2
Legend

I am going to consolidate some of the above discussion into an answer, and make some suggestions:

  • The easiest way to view the results of prior searches is in the Jobs menu. In Splunk 6, you will find it under the Activity item. You do not need the search id.
  • After 10 minutes (this is configurable by the Splunk admin), searches expire and are no longer accessible from the Jobs menu.
  • If you do want the search id, you can find it by using the Search Job Inspector.
  • I do not think there is any way to change the click behavior of the default search view.

What you can do to make this easier:

  • Use workflow actions to integrate your search results with another web-based app. This is pretty easy to set up, but it might not be exactly what you want. (Link to Manual)
  • Put your search in a form using simple XML. You can make the form with a lot of buttons or just a search box. It won't have all the functionality of the normal search BUT (1) it won't have the click problem and (2) you can write a custom drilldown so that you can click on the result. This will take a little more work, here is the link to how to build a form search.
  • You could copy the flashtimeline view and customize it. This is advanced XML, and therefore a bit more complicated than the other two options. But you can certainly build custom drilldown. I am also sure that you can completely remove the click behavior, although I have never done that myself. In Splunk 5, flashtimeline is the default search view. In Splunk 6, flashtimeline is still there but it isn't the default. In either case, you should copy it and then rename+edit your copy.

landen99
Motivator

I found a way to change the click behavior of the default search view.

Turn off the function to launch a new search when a field is clicked (called drilldown) by doing the following:

Open the Format menu (below the time graph) and setting the Drilldown menu to None.

0 Karma

landen99
Motivator

Even then, there may be 100 hash values and I only want to pass a few of them to VirusTotal and view their webpage showing the results of the analysis. The same is true of user ids in the Splunk search results for the employee search or of computer names for the asset portal search. Even still, workflow actions do sound interesting and powerful for automating other applications. They do not seem helpful in this case though.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For the web-based ones you can create workflow actions that pass Splunk field values to those applications: http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Aboutlookupsandfieldactions#Workflow_act...

0 Karma

landen99
Motivator

Some of the applications/tools which use the data copied from Splunk are web-based with url data manipulatable functions, like VirusTotal and like our internal assets and employee search pages. Others are not, like MS Excel where I store records of findings and relate data or create command line argument strings for cmd.exe, where data is sometimes pasted into a string from either excel or Splunk.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are the other applications web-based and able to accept the text you're trying to copy&paste as a URL parameter?

0 Karma

landen99
Motivator

I think this is true if the back arrow is used before the search expires (anyone know how long?). On that note, the sid is located in the url, so it makes sense that the back arrow would retrieve the search without executing it again. So the url would be an easy place to find the sid of the current search. In another thread, the Inspect Search function was suggested for locating the sid, but that seemed a little too pain to me just to get an sid. The need to get an sid seems inconvenient enough by itself except perhaps with complex searches which use results from multiple searches.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For the side note, you can usually just press the browser's back button.

As for search history, you're probably thinking of the job monitor accessible from the top right corner.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...