- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to pass values from a dashboard input to a sav...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I have the below source code:
<search ref="Name of my Saved Report which is scheduled hourly"></search>
How do I pass a dashboard input for the above saved search which is scheduled hourly?
For example: if my above search ref lists all hosts within my environment and I get a dashboard input say "Linux/Windows", I want the scheduled saved report to bring back depending upon the input that was chosen from the dashboard.
Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this. Basically make your search which is using a report as source, as base search and use the postprocess search for your panels which can utilize the token to filter the results. My report here is countbysourcetype and has following query
index=_internal | stats count by sourcetype
<form>
<label>Call SavedSearch and Filter</label>
<fieldset submitButton="false">
<input type="dropdown" token="sourcetype">
<search>
<query>| tstats count WHERE index=_internal by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
</input>
</fieldset>
<search id="basesearch" ref="countbysourcetype"></search>
<row>
<panel>
<table>
<title>countbysourcetype</title>
<search base="basesearch" ><query>where sourcetype="$sourcetype$"</query></search>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this. Basically make your search which is using a report as source, as base search and use the postprocess search for your panels which can utilize the token to filter the results. My report here is countbysourcetype and has following query
index=_internal | stats count by sourcetype
<form>
<label>Call SavedSearch and Filter</label>
<fieldset submitButton="false">
<input type="dropdown" token="sourcetype">
<search>
<query>| tstats count WHERE index=_internal by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
</input>
</fieldset>
<search id="basesearch" ref="countbysourcetype"></search>
<row>
<panel>
<table>
<title>countbysourcetype</title>
<search base="basesearch" ><query>where sourcetype="$sourcetype$"</query></search>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked perfectly for table dashboard visual but did not work for PIE charts as the pie charts went after stats count and the "Where" clause was added at the very end after stats count so it came up with NO RESULTS all the time. 🙂
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
