Dashboards & Visualizations

How to identify the search that generated a dashboard panel?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm running the search below inserting a specific user name.

index=_audit NOT "search=' 
| history" NOT (user=splunk-system-user OR user="monitoring" OR user="txm.alerts") NOT "search='typeahead" NOT "search=' 
| metadata type=*  
| search totalCount>0" 
| eval Status=if(like(_raw, "%export%"), 1, 0) 
| where Status=1 
| search user="name"
| table user, search

The search runs but because the user has exported data from a dashboard panel, the result for the search are returned as follows:

> REST:
> /search/jobs/_c3RlcGiZW5u_c3lbi5iZW5u_c3BsZXh0cmFjdC1hcHA__search9_147626.3699/results/export][n/a]

Could someone tell me please, is there a way to actually see the search for the dashboard panel?

Many thanks and kind regards

Chris

0 Karma
1 Solution

woodcock
Esteemed Legend

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

View solution in original post

woodcock
Esteemed Legend

You can add this to your dashboard:

<done>
  <set token="MyPanelJobSID">$job.sid$</set>
</done>

Then the token is available for use anywhere, even in the Title Of the panel (a good place to put it for debugging).

IRHM73
Motivator

Hi @woodcock, forgive me because this is something that I've not done before. But I think I've set the token correctly as below:

 <panel>      
      <input type="time" token="time_range1">
        <label>Cust. Satisfaction Time</label>
        <default>
          <earliestTime>-8d@d</earliestTime>
          <latestTime>-1d@d</latestTime>
        </default>
      </input>
      <table>
        <title>Customer Satisfaction</title>
        <search>
          <query>QUERY CONTENT</query>
          <earliest>$time_range1.earliest$</earliest>
          <latest>$time_range1.latest$</latest>
        </search>
        <done>
           <set token="MyPanelJobSID">$job.sid$</set>
        </done>

But could you tell me please how I then search for the token Id in my query?

Many thanks and kind regards

Chris

0 Karma

rjthibod
Champion

@IRHM73

You use loadjob SPL command with the SID. After the first command in the query below, you can do whatever SPL commands you want, i.e., there are no limitations unlike post-processing and global searches.

<search>
  <query>|loadjob $MyPanelJobSID$ | ... more SPL as you need it ... | ... | ...</query
</search>

woodcock
Esteemed Legend

Exactly right.

0 Karma

rjthibod
Champion

^ this is correct for newer versions of Splunk Enterprise. If you are using something pre-6.3, you must use Javascript.

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi IRHM73,

Not sure if I understand your question correctly, but instead of table user, search, I'm wondering if you could try table user, savedsearch_name so that you can identify the specific saved search that was executed?

Thanks!
Hunter Shen

0 Karma

IRHM73
Motivator

Hi @hunters, thank you for taking the time to reply to my post. I think you've understood t correctly, but with the use of queries on panels, as I'm sure you know, the query isn't always a saved search, but it's hardcoded into the source XML for the dashboard, so unfortunately this doesn't work.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...