Splunk Search

Simple XML Dashboard: Is it possible to block a global search until it is completely finished?

New Member

Here is the situation:

I've got a dashboard where the user can type in an IP address. I've got a global base search that runs through all the logs and returns a table of source IPs, destination IPs, and destination ports. The twist here is that this table includes any translations that show up in some portions of the infrastructure. Now I take this table and run it through another post process search of a drop-down to generate the search string that includes all translations (so I am getting events that would not be found using the input IP) and assign it to the drop-down's token. The search string is automatically chosen using the <selectFirstChoice>true</selectFirstChoice> property of the drop-down. This works occasionally, but what seems to be happening is it will populate correctly then the search will progress a little more and the value of the drop-down element will change, the choice selected by <selectFirstChoice> is now incorrect and I have to re-select it. So my question is: Is it possible to have a search blocked until completely finished in Simple XML, so that post-processing doesn't happen until the result set is fully defined?

A couple of points:
- I'm using this in an environment where I don't have access to add apps or use custom javascript in a dashboard.
- I'm going to post-process the table returned in the global search a couple of different ways, so need to keep it there. Otherwise I would just merge this all into a subsearch.

Thanks in advance for any replies!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I'm assuming that selectFirstChoice works similar to the first option of the eval command. This "feature" is exactly counter to what you would expect. first = earliest. Therefore, as your search progresses, the earliest event is chosen, not the latest. You could mitigate this by using the latest command:

stats latest(src_ip) as src_ip

and reference that in the dropdown with valueField defined as src_ip

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I'm assuming that selectFirstChoice works similar to the first option of the eval command. This "feature" is exactly counter to what you would expect. first = earliest. Therefore, as your search progresses, the earliest event is chosen, not the latest. You could mitigate this by using the latest command:

stats latest(src_ip) as src_ip

and reference that in the dropdown with valueField defined as src_ip

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If I have answered your question, please accept the answer.

0 Karma

New Member

I got it working (after a long hiatus of working on it). I tried a lot of things, but what ultimately worked was taking a different approach to the search. Before I was running the eventstats in the post-proc query. Moving that over to the base search got all the IP translations in place, then the post-process just deduped the results. Your comment did get me on the right track to thinking about it. So thanks for the answer!

0 Karma