Splunk Search

Prevent Hidden Search from Running on Dashboard Load

novaMark
New Member

I have a dashboard I've put together that runs one hiddensearch with three wildcard search parameters (time, virus name, and group). These are drop down lists with a submit button to kick off the search. When the dashboard initially loads, it runs the search because autoRun has to be set to True for a hidden search. I would like to have it NOT run the query until values are selected from the drop down list and the submit button is pressed.

Is this possible with a hidden search? Setting autoRun to False in my module tag does not work.

Tags (2)
0 Karma
1 Solution

erydberg
Splunk Employee
Splunk Employee

In the xml that you pasted you have the HiddenSearch outside the intentions and listers, if you move in to inside the SubmitButton the search will be run when the button is clicked and you don't need the autoRun=true.

...

               <module name="SubmitButton">
                    <param name="label">Show Charts</param>
                    <module name="HiddenSearch" layoutPanel="panel_row1_col1">
                        <param name="search">sourcetype="Sophos" ThreatName=$threat$
                                DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
                                ThreatName, DomainName
                            </param>
                        <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Count by ThreatName Over Time">
                            <param name="search">timechart count by ThreatName</param>
                            <module name="JobStatus">
                                <module name="EnablePreview">
                                    <param name="enable">True</param>
                                    <param name="display">False</param>
                                    <module name="HiddenChartFormatter">
                                        <param name="chart">line</param>
                                        <param name="primaryAxisTitle.text">Time</param>
                                        <param name="secondaryAxisTitle.text">Count</param>
                                        <module name="FlashChart">
                                            <param name="width">100%</param>
                                            <param name="height">250px</param>
                                        </module>
                                    </module>
                                    <module name="ViewRedirectorLink">
                                        <param name="viewTarget">flashtimeline</param>
                                    </module>
                                </module>
                            </module>
                        </module>
                        <module name="HiddenPostProcess" layoutPanel="panel_row3_col1" group="Count by Domain Over Time">
                            <param name="search">timechart count by DomainName</param>
                            <module name="EnablePreview">
                                <param name="enable">True</param>
                                <param name="display">False</param>
                                <module name="HiddenChartFormatter">
                                    <param name="chart">line</param>
                                    <param name="primaryAxisTitle.text">Time</param>
                                    <param name="secondaryAxisTitle.text">Count</param>
                                    <module name="FlashChart">
                                        <param name="width">100%</param>
                                        <param name="height">250px</param>
                                    </module>
                                </module>
                                <module name="ViewRedirectorLink">
                                    <param name="viewTarget">flashtimeline</param>
                                </module>
                            </module>
                        </module>
                        <module name="HiddenPostProcess" layoutPanel="panel_row3_col2" group="Count by Domain">
                            <param name="search">chart count by DomainName | sort -num(count)
                            </param>
                            <module name="EnablePreview">
                                <param name="enable">True</param>
                                <param name="display">False</param>
                                <module name="SimpleResultsTable">
                                    <param name="drilldown">all</param>
                                </module>
                            </module>
                        </module>
                    </module>
                </module>
               </module>

...

View solution in original post

0 Karma

erydberg
Splunk Employee
Splunk Employee

In the xml that you pasted you have the HiddenSearch outside the intentions and listers, if you move in to inside the SubmitButton the search will be run when the button is clicked and you don't need the autoRun=true.

...

               <module name="SubmitButton">
                    <param name="label">Show Charts</param>
                    <module name="HiddenSearch" layoutPanel="panel_row1_col1">
                        <param name="search">sourcetype="Sophos" ThreatName=$threat$
                                DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
                                ThreatName, DomainName
                            </param>
                        <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Count by ThreatName Over Time">
                            <param name="search">timechart count by ThreatName</param>
                            <module name="JobStatus">
                                <module name="EnablePreview">
                                    <param name="enable">True</param>
                                    <param name="display">False</param>
                                    <module name="HiddenChartFormatter">
                                        <param name="chart">line</param>
                                        <param name="primaryAxisTitle.text">Time</param>
                                        <param name="secondaryAxisTitle.text">Count</param>
                                        <module name="FlashChart">
                                            <param name="width">100%</param>
                                            <param name="height">250px</param>
                                        </module>
                                    </module>
                                    <module name="ViewRedirectorLink">
                                        <param name="viewTarget">flashtimeline</param>
                                    </module>
                                </module>
                            </module>
                        </module>
                        <module name="HiddenPostProcess" layoutPanel="panel_row3_col1" group="Count by Domain Over Time">
                            <param name="search">timechart count by DomainName</param>
                            <module name="EnablePreview">
                                <param name="enable">True</param>
                                <param name="display">False</param>
                                <module name="HiddenChartFormatter">
                                    <param name="chart">line</param>
                                    <param name="primaryAxisTitle.text">Time</param>
                                    <param name="secondaryAxisTitle.text">Count</param>
                                    <module name="FlashChart">
                                        <param name="width">100%</param>
                                        <param name="height">250px</param>
                                    </module>
                                </module>
                                <module name="ViewRedirectorLink">
                                    <param name="viewTarget">flashtimeline</param>
                                </module>
                            </module>
                        </module>
                        <module name="HiddenPostProcess" layoutPanel="panel_row3_col2" group="Count by Domain">
                            <param name="search">chart count by DomainName | sort -num(count)
                            </param>
                            <module name="EnablePreview">
                                <param name="enable">True</param>
                                <param name="display">False</param>
                                <module name="SimpleResultsTable">
                                    <param name="drilldown">all</param>
                                </module>
                            </module>
                        </module>
                    </module>
                </module>
               </module>

...

0 Karma

novaMark
New Member

Okay, my problem was that every parent module needs to have autoRun="False". This is after changing the code to erydberg's recommendations.

0 Karma

novaMark
New Member

Apparently white space is minimized down to 1 space, so the hierarchy I gave is each module's level.

0 Karma

novaMark
New Member

I moved it inside the SubmitButton and have my Listers as the parent nodes, but the search is still running. I've tried setting auto-run to False to and have not had any luck either. My module hierarchy is now:

  • TimeRangePicker
    • SelectLister1
    • SelectLister2
      • ConverToIntention1
      • ConvertToIntention2
        • Submit Button
        • Hidden Search
0 Karma

novaMark
New Member
<module name="HiddenSearch" layoutPanel="panel_row1_col1"
    group="Select TimeRange and ThreatName to Display" autoRun="True"
    width="100px">
    <!--
        The base search that all charts will build off of. The $threat$ and
        $domain$ are the variables set by the drop down lists
    -->
    <param name="search">sourcetype="Sophos" ThreatName=$threat$
        DomainName=$domain$ ThreatType="1" ActionTaken="101" | fields
        ThreatName, DomainName
    </param>
    <module name="TimeRangePicker">
        <param name="default">Last 60 minutes</param>
        <param name="selected">Last 60 minutes</param>
        <param name="searchWhenChanged">False</param>
        <!--
            This is the query that populates the ThreatName drop down list. It
            utilizes a saved search.
        -->
        <module name="SearchSelectLister" autoRun="True">
            <param name="savedSearch">Test1</param>
            <param name="useHistory">True</param>
            <param name="settingToCreate">series_setting</param>
            <param name="searchWhenChanged">False</param>
            <param name="label">ThreatName</param>
            <param name="staticFieldsToDisplay">
                <list>
                    <param name="label">All</param>
                    <param name="value">*</param>
                </list>
            </param>
            <param name="searchFieldsToDisplay">
                <list>
                    <param name="label">ThreatName</param>
                    <param name="value">ThreatName</param>
                </list>
            </param>

            <module name="SearchSelectLister" autoRun="True">
                <param name="savedSearch">Test2</param>
                <param name="useHistory">True</param>
                <param name="settingToCreate">series_setting2</param>
                <param name="searchWhenChanged">False</param>
                <param name="label">DomainName</param>
                <param name="staticFieldsToDisplay">
                    <list>
                        <param name="label">All</param>
                        <param name="value">*</param>
                    </list>
                </param>
                <param name="searchFieldsToDisplay">
                    <list>
                        <param name="label">DomainName</param>
                        <param name="value">DomainName</param>
                    </list>
                </param>

                <!-- Set the $threat$ variable here -->
                <module name="ConvertToIntention">
                    <param name="settingToConvert">series_setting</param>
                    <param name="intention">
                        <param name="name">stringreplace</param>
                        <param name="arg">
                            <param name="threat">
                                <param name="default">blah</param>
                                <param name="fillOnEmpty">True</param>
                                <param name="value">$target$</param>
                            </param>
                        </param>
                    </param>
                    <module name="ConvertToIntention">
                        <param name="settingToConvert">series_setting2</param>
                        <param name="intention">
                            <param name="name">stringreplace</param>
                            <param name="arg">
                                <param name="domain">
                                    <param name="default">blah</param>
                                    <param name="fillOnEmpty">True</param>
                                    <param name="value">$target$</param>
                                </param>
                            </param>
                        </param>
                        <module name="SubmitButton">
                            <param name="label">Show Charts</param>
                            <!-- Display the preview charts by post-processing the base query -->
                            <module name="HiddenPostProcess" layoutPanel="panel_row2_col1"
                                group="Count by ThreatName Over Time">
                                <param name="search">timechart count by ThreatName</param>
                                <module name="JobStatus">
                                    <module name="EnablePreview">
                                        <param name="enable">True</param>
                                        <param name="display">False</param>
                                        <module name="HiddenChartFormatter">
                                            <param name="chart">line</param>
                                            <param name="primaryAxisTitle.text">Time</param>
                                            <param name="secondaryAxisTitle.text">Count</param>
                                            <module name="FlashChart">
                                                <param name="width">100%</param>
                                                <param name="height">250px</param>
                                            </module>
                                        </module>
                                        <module name="ViewRedirectorLink">
                                            <param name="viewTarget">flashtimeline</param>
                                        </module>
                                    </module>
                                </module>
                            </module>
                            <module name="HiddenPostProcess" layoutPanel="panel_row3_col1"
                                group="Count by Domain Over Time">
                                <param name="search">timechart count by DomainName</param>
                                <module name="EnablePreview">
                                    <param name="enable">True</param>
                                    <param name="display">False</param>
                                    <module name="HiddenChartFormatter">
                                        <param name="chart">line</param>
                                        <param name="primaryAxisTitle.text">Time</param>
                                        <param name="secondaryAxisTitle.text">Count</param>
                                        <module name="FlashChart">
                                            <param name="width">100%</param>
                                            <param name="height">250px</param>
                                        </module>
                                    </module>
                                    <module name="ViewRedirectorLink">
                                        <param name="viewTarget">flashtimeline</param>
                                    </module>
                                </module>
                            </module>
                            <module name="HiddenPostProcess" layoutPanel="panel_row3_col2"
                                group="Count by Domain">
                                <param name="search">chart count by DomainName | sort -num(count)
                                </param>
                                <module name="EnablePreview">
                                    <param name="enable">True</param>
                                    <param name="display">False</param>
                                    <module name="SimpleResultsTable">
                                        <param name="drilldown">all</param>
                                    </module>
                                </module>
                            </module>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>
</module>

0 Karma

erydberg
Splunk Employee
Splunk Employee

Are you sure it's not because of the change in selection when your listers get populated? That can be avoided by adding

<param name="searchWhenChanged">False</param>

to your search listers.

0 Karma

novaMark
New Member

I posted it below. Do you see anything?

0 Karma

erydberg
Splunk Employee
Splunk Employee

Yes, that would help 🙂

0 Karma

novaMark
New Member

Both of my search listers are set to False for searchWhenChanged. Would it help if I paste my code?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...