Splunk Search

Self defined variable format in javascript search query

clement
Explorer

I found many token based variable search examples online but not on own created variable in customized Javascript. E.g: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEWY

May I know how to define mixture of self defined and token based variable in Javascript search query e.g variable "filename" and "alertid" in the example follow?

// partial javascript code:
var alertid= tokens.get("alertid_token"); //tokens received
var filename = "1512234117_372926.png"; //own created variable

   // Search Manager - Make a search using tokens obtained
    var search = new SearchManager({
        "id": "search_img",
        "earliest_time": "-5m@m",
        "latest_time": "now",
        "search":"| imgsearch alertid filename",  // are these variable format correct?
        "cancelOnUnload": true,
        "autostart": false,
       "auto_cancel": 90,
        "preview": false,
        "cache": false
    });
Tags (1)
0 Karma
1 Solution

clement
Explorer

@niketnilay, thank you for your reply.

I tested your suggestion, however it is not working.

The two "console.log(alertid);" and "console.log(filename);" before search execution output are correct, but "Search started" or "search:done" status is not shown.

Please find the my complete JS code follows:

require([
"splunkjs/mvc",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/simplexml/ready!"
], function(mvc) {

var SearchManager = require("splunkjs/mvc/searchmanager");

// Get the Events table
var myEventsTable = mvc.Components.get('myevents');


// Respond to a click event
myEventsTable.on("click", function(e) {


    // Get the default model
    var tokens = mvc.Components.get("default");
    var alertid= tokens.get("src_type_tok");
    var ctime = new Date().getTime();

    // create file and path var
    var filename = ctime + "_" + alertid + ".png";

    console.log(alertid);
    console.log(filename);

    var search = new SearchManager({
         "id": "search_img",
         "earliest_time": "-5m@m",
         "latest_time": "now",
         "search": "| imgsearch $alertid$ $filename$",    // this one not working
       //"search": "| imgsearch 3215687 153857376_3215687.png",   // this is working fine
         "cancelOnUnload": true,
         "autostart": false,
         "auto_cancel": 90,
         "preview": false,
         "cache": false,
         "tokenDependencies": {
         },
         "runWhenTimeIsUndefined": false
    }, {tokens: true, tokenNamespace: "submitted"});

    console.log("after search function");

    search.on('search:failed', function() {
        console.log("Search failed");
    }.bind(this));

    search.on("search:start", function() {
        console.log("Search started");
    }.bind(this));

    search.on("search:done", function() {
        console.log("Search completed");
    }.bind(this));

    // Start the search
    search.startSearch();
});

});

View solution in original post

0 Karma

clement
Explorer

@niketnilay, thank you for your reply.

I tested your suggestion, however it is not working.

The two "console.log(alertid);" and "console.log(filename);" before search execution output are correct, but "Search started" or "search:done" status is not shown.

Please find the my complete JS code follows:

require([
"splunkjs/mvc",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/simplexml/ready!"
], function(mvc) {

var SearchManager = require("splunkjs/mvc/searchmanager");

// Get the Events table
var myEventsTable = mvc.Components.get('myevents');


// Respond to a click event
myEventsTable.on("click", function(e) {


    // Get the default model
    var tokens = mvc.Components.get("default");
    var alertid= tokens.get("src_type_tok");
    var ctime = new Date().getTime();

    // create file and path var
    var filename = ctime + "_" + alertid + ".png";

    console.log(alertid);
    console.log(filename);

    var search = new SearchManager({
         "id": "search_img",
         "earliest_time": "-5m@m",
         "latest_time": "now",
         "search": "| imgsearch $alertid$ $filename$",    // this one not working
       //"search": "| imgsearch 3215687 153857376_3215687.png",   // this is working fine
         "cancelOnUnload": true,
         "autostart": false,
         "auto_cancel": 90,
         "preview": false,
         "cache": false,
         "tokenDependencies": {
         },
         "runWhenTimeIsUndefined": false
    }, {tokens: true, tokenNamespace: "submitted"});

    console.log("after search function");

    search.on('search:failed', function() {
        console.log("Search failed");
    }.bind(this));

    search.on("search:start", function() {
        console.log("Search started");
    }.bind(this));

    search.on("search:done", function() {
        console.log("Search completed");
    }.bind(this));

    // Start the search
    search.startSearch();
});

});

0 Karma

niketn
Legend

@clement, what you are trying to do can be done in Simple XML itself. Any specific reason for JavaScript?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

clement
Explorer

@niketnilay, indeed you have just highlighted a good pointer for me to find a workaround, thank you.

I refer to the following workaround, it work fine for my requirement:
https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html

Thanks again for sharing your information 🙂

0 Karma

niketn
Legend

@clement, seems like you are using post processing to overcome the issue you were facing. While init section to initialize token is a different approach. But I am glad you found something working for you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@clement, I believe imgsearch is your custom SPL command. The tokens in search string should be placed withing dollar signs i.e.

|  imgsearch $filename$ $alert_id$

Following is what your search might look like with the changes.

var search = new SearchManager({
            "id": "search_img",
            "earliest_time": "-5m@m",
            "latest_time": "now",
            "search": "|  imgsearch $filename$ $alert_id$",
            "cancelOnUnload": true,
            "autostart": false,
            "auto_cancel": 90,
            "preview": false,
            "cache": false,
            "tokenDependencies": {
            },
            "runWhenTimeIsUndefined": false
        }, {tokens: true, tokenNamespace: "submitted"});

PS: From Splunk Enterprise 6.5 onward, if you are not using HTML Dashboards you should have <init> section in Simple XML dashboard which should allow you to initialize your own static tokens like filename. Which implies you do not require Simple XML JavaScript Extension for such scenarios. (PS: init section does not work in HTML Dashboard or after conversion to HTML Dashboard.)

  <init>
    <set token="filename">1512234117_372926.png</set>
  </init>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...