Splunk Search

Is it possible to send a search to the background from the search string?

jambajuice
Communicator

I would like to build a dashboard that contains form fields for the start time/date and end time/date of a series of searches. I want to have about seven searches on the dashboards that take the time value from the form and then sends those searches to the background (where they will create a CSV file).

Is it possible to send a search to the background using a search command?

Thx.

Craig

sideview
SplunkTrust
SplunkTrust

There is no way to do this from the search language, unless you count piping to the outputcsv or outputlookup commands.

However, sending a search to the background is really just a matter of saving the job. So you could write a custom view that had some custom javascript to call search.save();

However based on your comment on another answer it sounds like what you really want is to schedule a search to run on the first of the month to run over the previous month's data. This is totally possible.

try using this as your schedule. And note that when you're saving the search you'll have to flip it into the 'advanced' mode so you can enter this cron string manually:

0 0 1 * *

or you probably want to run it a little later, like at 2AM on the first of the month,

0 2 1 * *

And then if you want the search to run only over the previous month's data, that's easy too. Although again you have to set a 'custom' timerange to do this. You can either do this by picking Custom then 'Advanced Search Language' in the TimeRangePicker when you run the search, or by setting the time arguments manually when you're saving the search. Either way set the earliest and latest arguments as follows:

earliest:  -1mon@mon
latest:  @mon

mw
Splunk Employee
Splunk Employee

Assuming that I'm following what you're asking: I don't believe this is possible, outside of a scheduled search. What would the user do after filling in the form though? Stare at a blank screen, or just run off to other dashboards for other things and forget about that dashboard?

0 Karma

mw
Splunk Employee
Splunk Employee

Nick's answer addresses that properly.

0 Karma

jambajuice
Communicator

We export the search results to CSV and use a PivotTable in Excel to display the data. The search runs on the previous calendar month's data and I haven't figured out a way to schedule a search on the first of the month that will only display events from the last calendar month...

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...