All Apps and Add-ons

Sideview Utils passing Pulldown value to SavedSearch

Parameshwara
Path Finder

My XML:

<module name="Search" layoutPanel="panel_row1_col1" autoRun="False">
<param name="search">index=aaa | chart count over VendorName</param>
<module name="Pulldown" layoutPanel="panel_row1_col1_grp1" autoRun="True">
<param name="name">VdrName</param>
<param name="label">Vendor Name</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">VendorName</param>
<param name="value">VendorName</param>
</list>
</param>

My Saved Search:
index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

My Question:How can i pass the VdrName value from my Pulldown module into my saved search? I've tried using HiddenSearch and HiddenSavedSearch module without success. My current option is to use Search module and write the search query within the XML. Althought this works, now I don't have the option to accelerate the search.

1 Solution

sideview
SplunkTrust
SplunkTrust

Well, both HiddenSearch and HiddenSavedSearch are Splunk modules and Splunk modules in general do not do $foo$ substitution.

From there, there is the Sideview module "SavedSearch", and it will do $foo$ substitution. The problem in this case is that it will do $foo$ substitution into param that defines the savedsearch name, not into the actual search string of the savedsearch itself once the savedsearch gets loaded.

The good news is that it's far better to use a macro for this anyway. You're not really supposed to be saving savedsearches with $foo$ tokens in them -- really the use case you're describing is exactly what macros are for.

Create a macro (Manager > Advanced Search > Macros), call it like "vendor_name_search", give the macro a single argument, call that argument VdrName or VendorName or what-have-you, and have the macro's definition be

index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

like you have in your savedsearch today.

To illustrate, once you save this macro this means you can run it in any search, just by doing

vendor_name_search("someVendorName"),

Here's some XML showing that macro now in use, just in an ordinary Sideview Search module right downstream from your Pulldown.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=aaa | chart count over VendorName</param>
  <module name="Pulldown" layoutPanel="panel_row1_col1_grp1">
    <param name="name">VdrName</param>
    <param name="label">Vendor Name</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">VendorName</param>
        <param name="value">VendorName</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">`vendor_name_search("$VdrName$")`</param>

Note - you also had a little autoRun confusion in your XML. autoRun="False" will do nothing, and autoRun="True" should always be pulled up as high as possible. It was probably causing no harm in this case but it's best to be careful.

Don't forget to get the latest Sideview Utils - the latest is 2.3 and it's only available on the Sideview site, free for internal use. If you're still using the 1.3.5 version from Splunkbase you're missing a pretty vast number of fixes, features and improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well, both HiddenSearch and HiddenSavedSearch are Splunk modules and Splunk modules in general do not do $foo$ substitution.

From there, there is the Sideview module "SavedSearch", and it will do $foo$ substitution. The problem in this case is that it will do $foo$ substitution into param that defines the savedsearch name, not into the actual search string of the savedsearch itself once the savedsearch gets loaded.

The good news is that it's far better to use a macro for this anyway. You're not really supposed to be saving savedsearches with $foo$ tokens in them -- really the use case you're describing is exactly what macros are for.

Create a macro (Manager > Advanced Search > Macros), call it like "vendor_name_search", give the macro a single argument, call that argument VdrName or VendorName or what-have-you, and have the macro's definition be

index=aaa VendorName="$VdrName$" [search index=bbb VendorName="$VdrName$"| stats...] | stats ...

like you have in your savedsearch today.

To illustrate, once you save this macro this means you can run it in any search, just by doing

vendor_name_search("someVendorName"),

Here's some XML showing that macro now in use, just in an ordinary Sideview Search module right downstream from your Pulldown.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=aaa | chart count over VendorName</param>
  <module name="Pulldown" layoutPanel="panel_row1_col1_grp1">
    <param name="name">VdrName</param>
    <param name="label">Vendor Name</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">VendorName</param>
        <param name="value">VendorName</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">`vendor_name_search("$VdrName$")`</param>

Note - you also had a little autoRun confusion in your XML. autoRun="False" will do nothing, and autoRun="True" should always be pulled up as high as possible. It was probably causing no harm in this case but it's best to be careful.

Don't forget to get the latest Sideview Utils - the latest is 2.3 and it's only available on the Sideview site, free for internal use. If you're still using the 1.3.5 version from Splunkbase you're missing a pretty vast number of fixes, features and improvements. http://sideviewapps.com/apps/sideview-utils

sideview
SplunkTrust
SplunkTrust

It will actually. If the characteristics of the search match a saved search that has acceleration enabled, then the ad-hoc search will also be accelerated.

0 Karma

Parameshwara
Path Finder

I was trying out the macro function, but realized that it does not provide the option to accelerate the search. I would like to have the option to accelerate my searches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...