Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dynamic multiple selection in saved search

abhayneilam
Contributor
‎07-22-2014 03:22 PM

Hi,

I have a below code which runs very slow because it is hitting the voluminous index to get the data which takes the huge time to retrieve the data for the particular dashboard ( I am using inline searches ) , Please see the code below :





<!-- Enable the sideview utils -->

<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
</module>


<module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>

</module>


Select Report Time Period

        <module name="Search" layoutPanel="panel_row1_col2" autoRun="True">
  <param name="search">index=os sourcetype=vmstat source=plex earliest=-5m@m latest=now | lookup serverlist host | table server | dedup server | sort str(server)</param>


<module name="Pulldown">
  <param name="name">HOST_NAME</param>
  <param name="label">Server List :</param>
  <param name="size">4</param>
  <param name="template">server="$value$"</param>
  <param name="separator">+OR+</param>
  <param name="outerTemplate">( $value$ )</param>
  <param name="staticFieldsToDisplay"></param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">server</param>
      <param name="value">server</param>
    </list>
  </param>


                  <module name="SubmitButton">
          <param name="label">Submit</param>   






  <module name="HiddenSearch" layoutPanel="panel_row2_col1" >
        <param name="search">index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0</param>
        <param name="groupLabel">Percent Load by Host</param>
        <module name="HiddenChartFormatter">
          <param name="charting.primaryAxisTitle.text">Time</param>
          <param name="charting.secondaryAxisTitle.text">% Total CPU</param>
          <param name="charting.chart.nullValueMode">connect</param>
          <param name="charting.chart">line</param>
          <module name="JSChart">
            <param name="width">100%</param>
            <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
         </module>
      </module>



      </module>   

      </module> 

  </module>

I want to use "scheduled saved searches" instead of "inline" and server name should be picked dynamically as it was being picked before ( in the above code )

Please help !!

0 Karma
Reply

dshroff
Engager
‎02-11-2015 01:27 PM

Search should be saved as
saved_search_name
index=xyz KEY_1=123 KEY_2=456 HOST_NAME=$HOST_NAME$

When using in a dashboard it should be


<input type="text" token="HOST_NAME" searchWhenChanged="false">
<label>Host</label>
<default>*</default>
</input>

| savedsearch saved_search_name HOST_NAME =$HOST_NAME$

This works perfectly

0 Karma
Reply

somesoni2
Revered Legend
‎07-23-2014 01:03 PM

You can try this (untested)

1) create a saved search (say ss_getAvgCPULoadByHost) with following search string

index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0

Have it scheduled as per your need.

2) updated the search parameter for "HiddenSearch" module here, to 

| savedsearch ss_getAvgCPULoadByHost HOST_NAME="$HOST_NAME$"
0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:54 PM

I have removed "search $HOST_NAME$" from my saved search and it worked , but the graph is showing for all the listed items in the menu, Even If I select one or two items from the list, graph is appearing for all the itmes, I want to see the graph only for the selected items.

Please help !!

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:45 PM

The above error has gone and now the below has come :

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'ss_getAvgCPULoadByHost': Error while replacing variable name='host_name'. Could not find variable in the argument map.

In my saved search , I have given the following query :
index=os sourcetype=cpu source=plex | lookup serverlist host | search server=$HOST_NAME$ | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) by host_server useother=f limit=0

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:35 PM

When I execute it gives me the below error :

Error in 'savedsearch' command: Unable to find saved search named 'ss_getAvgCPULoadByHost''.

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 07:11 AM

Can I please have some clue on the above problem ? Please I need a help on this !!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...