Hi
I like the simple xml post process and how fast it is when filtering data on a savedsearch.
However, on my dashboard, sometimes i want to override the saved search and expand the time range.
Is there any way to override saved search timerange and execute an inline search on the basesearch? This view is using simple xml postprocess and timerange button. Can a time token manually override the basesearch query?
fieldset submitButton="false">
<input type="text" token="FindHost" searchWhenChanged="true">
<label>HOST FILTER</label>
<default></default>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
</fieldset>
<search id="BaseSearch1" ref="ALERTcht"></search>
<row>
<panel>
<table>
<title>TEST</title>
<search base="BaseSearch1">
<query>
<![CDATA[| search host="*$FindHost$*" ]]>
</query>
</search>
<option name="displayRowNumbers">true</option>
<option name="height">300px</option>
<option name="wrap">false</option>
<option name="earliest">$field1$</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">100</option>
<option name="refresh.auto.interval">300</option>
<format type="sparkline" field="TREND">
<option name="type">bar</option>
<option name="height">20px</option>
<!-- Use colorMap to map specific values to selected colors -->
<option name="colorMap">
<option name="1:">#FF0000</option>
<option name=":0">#9ac23c</option>
</option>
<option name="barWidth">5px</option>
</format>
</table>
</panel>
</row>
<row>
It can. Just update the base search portion with this
Replace
<search id="BaseSearch1" ref="ALERTcht"></search>
With
<search id="BaseSearch1" ref="ALERTcht">
<earliest>$field1.earliest$</earliest>
<latest><$field1.latest$</latest>
</search>
It can. Just update the base search portion with this
Replace
<search id="BaseSearch1" ref="ALERTcht"></search>
With
<search id="BaseSearch1" ref="ALERTcht">
<earliest>$field1.earliest$</earliest>
<latest><$field1.latest$</latest>
</search>
Thanks -
Good news: is it makes the panels refresh when i choose a time.
Bad news: The charts still display the time defined in the 'Start time' and 'Finish time' under 'Time range' settings in the saved search form.
The underlying query in the saved search does not have earliest=-1h@h latest=now
<fieldset submitButton="false">
<input type="text" token="FindHost" searchWhenChanged="true">
<label>HOST FILTER</label>
<default></default>
</input>
<input type="time" token="field1">
<label>Timerange Under Development</label>
</input>
</fieldset>
<search id="BaseSearch1" ref="ALERTcht">
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
Ok.. Lets try another option. Update your base search with this now.
<search id="BaseSearch1" >
<query>| savedsearch ALERTcht </query>
<earliest>$field1.earliest$</earliest>
<latest><$field1.latest$</latest>
</search>
That works, however the default savedsearch is "waiting for input" until timerange is selected. Its no longer instantly loading the savedsearch history.
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest></earliest>
<latest></latest>
</default>
</input>
</fieldset>
<search id="BaseSearch1" ref="ALERTcht">
<query>| savedsearch ALERTcht</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
standby, it might be working properly. testing.
I don't think its using the scheduled search history - I'll live with it for now.
It won't. ALso, if you're looking for flexibility to change the time range, the historical run wouldn't be useful anyways.
Understood...
The idea would be to have the dashboard refresh every 5 minutes in monitor mode by using the scheduled search history. And if a user changes the timerange selector it goes into inline mode.
I guess I could have two dashboards, one for monitoring and one for historical research..
Either way, appreciate your help.