I have a dashboard I've put together that runs one hiddensearch with three wildcard search parameters (time, virus name, and group). These are drop down lists with a submit button to kick off the search. When the dashboard initially loads, it runs the search because autoRun has to be set to True for a hidden search. I would like to have it NOT run the query until values are selected from the drop down list and the submit button is pressed.
Is this possible with a hidden search? Setting autoRun to False in my module tag does not work.
In the xml that you pasted you have the HiddenSearch outside the intentions and listers, if you move in to inside the SubmitButton the search will be run when the button is clicked and you don't need the autoRun=true
.
...
<module name="SubmitButton">
<param name="label">Show Charts</param>
<module name="HiddenSearch" layoutPanel="panel_row1_col1">
<param name="search">sourcetype="Sophos" ThreatName=$threat$
DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
ThreatName, DomainName
</param>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Count by ThreatName Over Time">
<param name="search">timechart count by ThreatName</param>
<module name="JobStatus">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1" group="Count by Domain Over Time">
<param name="search">timechart count by DomainName</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col2" group="Count by Domain">
<param name="search">chart count by DomainName | sort -num(count)
</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">all</param>
</module>
</module>
</module>
</module>
</module>
</module>
...
In the xml that you pasted you have the HiddenSearch outside the intentions and listers, if you move in to inside the SubmitButton the search will be run when the button is clicked and you don't need the autoRun=true
.
...
<module name="SubmitButton">
<param name="label">Show Charts</param>
<module name="HiddenSearch" layoutPanel="panel_row1_col1">
<param name="search">sourcetype="Sophos" ThreatName=$threat$
DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
ThreatName, DomainName
</param>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Count by ThreatName Over Time">
<param name="search">timechart count by ThreatName</param>
<module name="JobStatus">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1" group="Count by Domain Over Time">
<param name="search">timechart count by DomainName</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col2" group="Count by Domain">
<param name="search">chart count by DomainName | sort -num(count)
</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">all</param>
</module>
</module>
</module>
</module>
</module>
</module>
...
Okay, my problem was that every parent module needs to have autoRun="False". This is after changing the code to erydberg's recommendations.
Apparently white space is minimized down to 1 space, so the hierarchy I gave is each module's level.
I moved it inside the SubmitButton and have my Listers as the parent nodes, but the search is still running. I've tried setting auto-run to False to and have not had any luck either. My module hierarchy is now:
<module name="HiddenSearch" layoutPanel="panel_row1_col1"
group="Select TimeRange and ThreatName to Display" autoRun="True"
width="100px">
<!--
The base search that all charts will build off of. The $threat$ and
$domain$ are the variables set by the drop down lists
-->
<param name="search">sourcetype="Sophos" ThreatName=$threat$
DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
ThreatName, DomainName
</param>
<module name="TimeRangePicker">
<param name="default">Last 60 minutes</param>
<param name="selected">Last 60 minutes</param>
<param name="searchWhenChanged">False</param>
<!--
This is the query that populates the ThreatName drop down list. It
utilizes a saved search.
-->
<module name="SearchSelectLister" autoRun="True">
<param name="savedSearch">Test1</param>
<param name="useHistory">True</param>
<param name="settingToCreate">series_setting</param>
<param name="searchWhenChanged">False</param>
<param name="label">ThreatName</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">All</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">ThreatName</param>
<param name="value">ThreatName</param>
</list>
</param>
<module name="SearchSelectLister" autoRun="True">
<param name="savedSearch">Test2</param>
<param name="useHistory">True</param>
<param name="settingToCreate">series_setting2</param>
<param name="searchWhenChanged">False</param>
<param name="label">DomainName</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">All</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">DomainName</param>
<param name="value">DomainName</param>
</list>
</param>
<!-- Set the $threat$ variable here -->
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="threat">
<param name="default">blah</param>
<param name="fillOnEmpty">True</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting2</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="domain">
<param name="default">blah</param>
<param name="fillOnEmpty">True</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Show Charts</param>
<!-- Display the preview charts by post-processing the base query -->
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1"
group="Count by ThreatName Over Time">
<param name="search">timechart count by ThreatName</param>
<module name="JobStatus">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1"
group="Count by Domain Over Time">
<param name="search">timechart count by DomainName</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col2"
group="Count by Domain">
<param name="search">chart count by DomainName | sort -num(count)
</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">all</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
Are you sure it's not because of the change in selection when your listers get populated? That can be avoided by adding
<param name="searchWhenChanged">False</param>
to your search listers.
I posted it below. Do you see anything?
Yes, that would help 🙂
Both of my search listers are set to False for searchWhenChanged. Would it help if I paste my code?