Reporting

Applying form input to Savedsearch results

sranga
Path Finder

Hi

I have a saved-search (my_search) that is configured to run every 30 minutes. It gathers aggregate data from the past 7 days.

I have a form that has one input field. Based on the the input field value from this form, I would like to filter the results of my saved-search. I currently have this setup as:

<form>
  <label>Test</label>
  <fieldset>
    <input type="dropdown" token="field1">
      <label>Field</label>
      <choice value="1">A value</choice>
      <choice value="2">Another value</choice>
      <choice value="3">Second value</choice>
    </input>
  </fieldset>
  <row>
    <chart>
      <searchTemplate>| savedsearch "my_search" | search $field1$ | timechart count by field2 </searchTemplate>
      <title>My Chart</title>
    </chart>
  </row>
</form>  

When I access the chart, a new query is issued based on the field1 value. Is there a way to force the chart to use the "saved" results from the previous run of the search and then apply the filter rather than issuing a new query every time I access the chart?

Thanks for your help.

Ranga

Tags (2)

Lowell
Super Champion

Per the docs:

Runs a saved search, possibly cached by disk. Also, performs macro replacement.

So it sounds like this should happen for you automatically.

I'm assuming that your scheduled saved search has already run previously, correct? I've run into issues like that before, which ended up just being timing related. You should be able to see previous runs in the job viewer (or in the dispatch directory on the server). You may want to also double check your permissions settings.

What happens if your run the search | savedsearch "my_search" interactively?


The other more complicated approach would be to switch to advanced XML (ugh) and use the HiddenSavedSearch and set the useHistory parameter to True. Then use a HiddenPostProcess module to do your post-processing search to do your form-level filtering.

Hopefully the first works.


Update. I was curious about the phrase "performs macro replacement", so I asked about it here: What is macro replacement in a saved search?. While a useful feature, It doesn't appear to be what's going on here (based on the search given in the posted XML). And in fact (as gkanapathy points out) using macro replacement will prevent your saved search from being cached because the search changes based on those macro values.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

And your saved search above does not use a macro replacement, so as long as it's scheduled, it should use the saved artifact from the last run.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

A saved search with a macro replacement call will not use a cache.

0 Karma

sranga
Path Finder

Thanks. I was wondering how the macro-replacement should be specified in a saved search. This saved-search runs on a schedule. Should some value be specified as a default for the macro definition?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...