Developing for Splunk Enterprise

Link and pass parameter to saved search?

andyk
Path Finder

How can link to and run a Splunk search from our inhouse developed firstline support system?

I have a search that looks like this:

"host="10.zz.yy.11" OR host="10.xx.zz.12" order_id="XXXXXX" | transaction order_id"

Our support personel finds the order_id in the support system and now they have to copy the orderid, login to splunk, type in the search, paste the orderid, run the search. I would like to just add a link in the support system that open a new window where the results of the search is shown. What is the best way to do this?

// Andreas

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

View solution in original post

mayler
Path Finder

Did gkanapathy mean: http://splunkurl/app/search/flashtimeline?q=savedsearch

or

http://splunkurl/app/search/flashtimeline?s=savedsearch

Are you ok with using Reports? Or would that be too much work...

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I mean q= which will invoke the savedsearch command, but i forgot to put in the name of the saved search, but I'm correcting that. the other s= will invoke the savedsearch named, but you can't pass parameters with it

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can

  1. modify your savedsearch so it takes a parameter that can be passed in via the "savedsearch" search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Savedsearch
  2. create a URL from your other system that looks like: http://splunkurl/app/search/flashtimeline?q=savedsearch mysavedsearchname myparamname=myparamvalue. To be strict about it, the entire query savedsearch myparam=myparamvalue needs to be URL-encoded. You can also pass this search to a different view other than search/flashtimeline, e.g., you could use search/charting


Update. Example stripped-down view you could use instead of flashtimeline or charting:

<view template="dashboard.html" onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Chart</label>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">3</param>
  </module>

  <module name="FlashChart" layoutPanel="panel_row1_col1">
    <param name="width">100%</param>
    <param name="height">100%</param>
  </module>

</view>

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Yes, but you'd have to create such a view yourself. It would actually be a very simple view. I have updated above with an example that would render as a chart, but you could make a similar one with a table, etc.

0 Karma

andyk
Path Finder

Is it possible to send it to a view were I only see the results and not the menu, timeline and the fields?

0 Karma

cpenkert
Path Finder

Are you looking for a way to do this in the context of the Splunk GUI, or do you want to go through the search API and have the results returned for your display within your existing system?

0 Karma

andyk
Path Finder

I just want something up and running quickly so I will use Splunks UI right now. In a later stage I might use the API.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!