Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with an issue involving the collect command?

ngerosa
Path Finder
‎11-22-2018 01:38 AM

Hi all,

I'm creating a panel where clicking on a "ACK" row starts a link on a search (in another window) that uses a collect command to write on a column "Acknowledged" a parameter "true".

But, I'm having some problems with the collect command. When starting a link on a search with collect, a warning popup appears: "The search that you are about to run contains commands that might present a security risk", so every time, I have to click on "Run" to start the collect command.

Is there a possibility to avoid this warning popup so link to the search does not open any panel but is hidden?

Thanks all!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎11-22-2018 04:00 AM

You could create and run the search in the same dashboard like this:

<search>
  <query>
    your search | collect | eval runMe = "$startSearch$"
  </query>
</search>
<panel>
  <table>
    ...
  <drilldown>
    <eval token="startSearch">random()</eval>
  </drilldown>
</panel>

The (initially unset) token startSearch will be set (and set again) on drilldown which will in turn make the search manager of the collect-search run. This should run the search silently and without requiring acknowledgement.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎11-22-2018 04:00 AM

You could create and run the search in the same dashboard like this:

<search>
  <query>
    your search | collect | eval runMe = "$startSearch$"
  </query>
</search>
<panel>
  <table>
    ...
  <drilldown>
    <eval token="startSearch">random()</eval>
  </drilldown>
</panel>

The (initially unset) token startSearch will be set (and set again) on drilldown which will in turn make the search manager of the collect-search run. This should run the search silently and without requiring acknowledgement.

0 Karma
Reply
Solved! Jump to solution

ngerosa
Path Finder
‎11-22-2018 06:24 AM 
  <dashboard>
  <label>test</label>
   <search>
   <query>
    index="test"
 |  eval id=value1.ALARMDATE
 |  search id="$click.value$"
 |  eval acknowledged="true"
 |  table id _time ALARMDATE DEFTIME value1 ACK 
 acknowledged
   |  collect index="test"
   |  eval runMe = "$startSearch$"
    </query>
     </search>
     <row>
     <panel>
      <table>
        <search>
         <query>index="test"
     |  eval id=value1.ALARMDATE
     |  dedup id
     |  eval ACK="ACK"
     |  table id _time ALARMDATE DEFTIME value1 ACK 
        acknowledged</query>
           <earliest>0</earliest>
           <latest></latest>
             <sampleRatio>1</sampleRatio>
              </search>
                <drilldown>
               <eval token="startSearch">random()</eval>
              </drilldown>
              </table>
              </panel>
              </row>
              </dashboard>

This is how I implemented your suggestion but it doesn't work.
I don't understand how I can pass the "id" value from a click.value command.

Thanks!

0 Karma
Reply
Solved! Jump to solution

ngerosa
Path Finder
‎11-27-2018 06:20 AM

I resolve changing 

                <eval token="startSearch">random()</eval>

with

                  <set token="startSearch">random()</set>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...