I am working on creating a simple UI environment and want to include links to related Splunk search result web dashboard to make a more coherent experience for the user.
For example, say I have an incident named "Hello World" in my simple UI and if the user clicks on Splunk from this simple UI, the user is navigated to Splunk Web Dashboard with the logs filtered by the keyword "Hello World".
I would very grateful if you could please share your thoughts on this and let me know if you have any questions.
where in the above URL, 'search' is the name of the Splunk app, web_dashboard is the name of your dashboard and all tokens you are passing in to that dashboard are prefixed with 'form.'
Your search in the dashboard would already need to have that search filter enabled as part of the search, so it would look something like
your search $search_data|s$
so here your input search filter token is added as part of the search query - note the |s at the end of the name will cause it to double quote the value of the search string, effectively the same as doing
and it will set the token named 'first_token' and 'second_token' as above.
Sorting is just managed in the search. By default Splunk will show you indexed events in reverse chronological order, so depending on what visualisation you are doing, you may not need to do any sorting, but Splunk sort is in a simple form