Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dynamic multiple selection in saved search

abhayneilam
Contributor
‎07-22-2014 03:22 PM

Hi,

I have a below code which runs very slow because it is hitting the voluminous index to get the data which takes the huge time to retrieve the data for the particular dashboard ( I am using inline searches ) , Please see the code below :





<!-- Enable the sideview utils -->

<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
</module>


<module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>

</module>


Select Report Time Period

        <module name="Search" layoutPanel="panel_row1_col2" autoRun="True">
  <param name="search">index=os sourcetype=vmstat source=plex earliest=-5m@m latest=now | lookup serverlist host | table server | dedup server | sort str(server)</param>


<module name="Pulldown">
  <param name="name">HOST_NAME</param>
  <param name="label">Server List :</param>
  <param name="size">4</param>
  <param name="template">server="$value$"</param>
  <param name="separator">+OR+</param>
  <param name="outerTemplate">( $value$ )</param>
  <param name="staticFieldsToDisplay"></param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">server</param>
      <param name="value">server</param>
    </list>
  </param>


                  <module name="SubmitButton">
          <param name="label">Submit</param>   






  <module name="HiddenSearch" layoutPanel="panel_row2_col1" >
        <param name="search">index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0</param>
        <param name="groupLabel">Percent Load by Host</param>
        <module name="HiddenChartFormatter">
          <param name="charting.primaryAxisTitle.text">Time</param>
          <param name="charting.secondaryAxisTitle.text">% Total CPU</param>
          <param name="charting.chart.nullValueMode">connect</param>
          <param name="charting.chart">line</param>
          <module name="JSChart">
            <param name="width">100%</param>
            <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
         </module>
      </module>



      </module>   

      </module> 

  </module>

I want to use "scheduled saved searches" instead of "inline" and server name should be picked dynamically as it was being picked before ( in the above code )

Please help !!

0 Karma
Reply

dshroff
Engager
‎02-11-2015 01:27 PM

Search should be saved as
saved_search_name
index=xyz KEY_1=123 KEY_2=456 HOST_NAME=$HOST_NAME$

When using in a dashboard it should be


<input type="text" token="HOST_NAME" searchWhenChanged="false">
<label>Host</label>
<default>*</default>
</input>

| savedsearch saved_search_name HOST_NAME =$HOST_NAME$

This works perfectly

0 Karma
Reply

somesoni2
Revered Legend
‎07-23-2014 01:03 PM

You can try this (untested)

1) create a saved search (say ss_getAvgCPULoadByHost) with following search string

index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0

Have it scheduled as per your need.

2) updated the search parameter for "HiddenSearch" module here, to 

| savedsearch ss_getAvgCPULoadByHost HOST_NAME="$HOST_NAME$"
0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:54 PM

I have removed "search $HOST_NAME$" from my saved search and it worked , but the graph is showing for all the listed items in the menu, Even If I select one or two items from the list, graph is appearing for all the itmes, I want to see the graph only for the selected items.

Please help !!

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:45 PM

The above error has gone and now the below has come :

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'ss_getAvgCPULoadByHost': Error while replacing variable name='host_name'. Could not find variable in the argument map.

In my saved search , I have given the following query :
index=os sourcetype=cpu source=plex | lookup serverlist host | search server=$HOST_NAME$ | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) by host_server useother=f limit=0

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 03:35 PM

When I execute it gives me the below error :

Error in 'savedsearch' command: Unable to find saved search named 'ss_getAvgCPULoadByHost''.

0 Karma
Reply

abhayneilam
Contributor
‎07-23-2014 07:11 AM

Can I please have some clue on the above problem ? Please I need a help on this !!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...