- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Sideview SavedSearch module doesn't ssave the sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sideview SavedSearch module doesn't ssave the search
I'm probably missing something pretty basic, but when I put the Sideview SearchControls module into a view and save the search, the savedsearches.conf entry created looks like this:
[PopRedstonr]
action.email.reportServerEnabled = 0
alert.track = 0
displayview = CombinedDetail
request.ui_dispatch_view = CombinedDetail
search = *
Here is the XML (more or less - mostly less)
<view>
<blablabla/>
<module name="SearchControls">
<param name="sections">export print saveMenu createMenu </param>
<param name="jobControls">pause cancel</param>
<param name="saveMenu">saveSearch saveResults saveAndShareResults</param>
<param name="createMenu">createAlert createScheduledSearch</param>
<stuff>
The rest of my view XML
Search, table, redirector, etc.
</stuff>
</module>
</view>
If I run the same search in the search app and save it I get the search in my savedSearches.conf and it looks like this:
[PopRedstonr]
action.email.reportServerEnabled = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
auto_summarize.timespan = 1m
dispatch.earliest_time = 0
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index="fbo" sourcetype="fboTEMPLATE" "*POP*Redstone*"\
| spath output=Date path=TEMPLATE.DATE\
| spath output=Record path=TEMPLATE.RECNUM\
| spath output=Subject path=TEMPLATE.SUBJECT\
| spath output=Location path=TEMPLATE.POPADDRESS\
| eval Date= strptime(Date,"%m%d%Y") \
| convert timeformat="%Y-%m-%d" ctime(Date) AS Date\
| table Date, Record, Location, Subject\
| sort Date desc
vsid = hq73cul2
Why am I getting only an asterisk instead of the search text in my view?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer has to do with how, when and why the searches get kicked off by the Splunk module framework.
First, the modules themselves don't actually kick off searches. It's the framework itself that does it as it's passing all the arguments around - more precisely as the "push" cascades down through the module hierarchy and as that push starts to hit modules that actually need search results. The point in the module hierarchy where the framework kicks off a given search, is called the "dispatch point" for that search.
To finally come back to your question, the SearchControls module has to be at or below the "dispatch point" of the search that you want to control. If on the other hand you put it somewhere weird in the hierarchy where no search would otherwise be getting dispatched, it'll itself cause a search * search to get dispatched, and so you'll be controlling that one. o_O
If you haven't read it, or even if you have, take a moment to get the latest Sideview Utils, and navigate to "Key Techniques > Overview of the Advanced XML". This page gives an explanation of all this. The bad news is that the explanation is quite long.
By the way the core Splunk JobStatus module has the same behavior - it has to be at or below the dispatching point of the job you want to operate on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah Ha! That's a palindrome. I should have thought about that. I got it backwards because I am so used to pushing stuff to a search. I'll move it to where it belongs and chalk it up to not thinking downstream far enough.
Thanks Nick.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
