- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Controlling search execution via dashboard inputs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anywhere in your search, you can add this...
| appendpipe
[| addinfo
| stats min(info_min_time) as min_time max(info_max_time) as max_time
| eval search_time = now()
| table search_time min_time max_time
| outputcsv mytempresults.csv
| where false()
]
That saves your data to a temp file, overwriting the file every time it runs.
Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.
| inputcsv mytempresults.csv $mynulldependstoken$
| outputcsv append=t myrealresults.csv
| where false()
| outputcsv mytempresults.csv
You need to set a postprocess in the form that will clear out the token again, and you're done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @mschellhouse, if @DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anywhere in your search, you can add this...
| appendpipe
[| addinfo
| stats min(info_min_time) as min_time max(info_max_time) as max_time
| eval search_time = now()
| table search_time min_time max_time
| outputcsv mytempresults.csv
| where false()
]
That saves your data to a temp file, overwriting the file every time it runs.
Next, you create a hidden panel using depends/rejects, with its own search code. When your control is checked, pressed, whatever, it sets the depends token and allows the append search to run, which also blanks out the temp file.
| inputcsv mytempresults.csv $mynulldependstoken$
| outputcsv append=t myrealresults.csv
| where false()
| outputcsv mytempresults.csv
You need to set a postprocess in the form that will clear out the token again, and you're done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help explain what the where statement is doing in your example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is getting rid of every single transaction that was created, so it doesn't get appended to the results.
appendpipe processes all your events through its search and then adds whatever comes out to the end of the result set. |where false() ensures that there are no actual additions.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
