Solved: Managing a list of column headers in a single loca...

aholzer · ‎07-18-2013

What is the best method for managing a list of fields that will be used to populate (at least, but not limited to) a Pulldown, and search that ends in a Table command.

I've heard of lookups but not too familiar with them.

Any other ideas?

gregbujak · ‎07-18-2013

First thing to point out, this is a great thing to think about. Its terrible when you realize that the reason for inconsistencies is because your column were defined in multiple locations.

Hopefully, there is a better way of doing this, but the way I have done this in the past is by using macros.

First define a no argument macro that provides the column names

(name=blotter_columns)

A B C D E

This macro will be utilized by the search query that produces the table and the macro that helps produce the pulldown.

This macro -

(name=order_columns)

index=my_index | head 1 | table `blotter_columns` | transpose | table column | sort column

In the dashboard xml definition:

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">`order_columns`</param>

<module name="Pulldown">

Hope this helps.

View solution in original post

aholzer · ‎07-18-2013

Thanks for your answer @gregbujak. That does actually provide a fairly straightforward way of keeping a centralized list.

Now that search to populate the Pulldown takes at least 1 second to run more like 1.5 seconds. So all things considered it isn't very efficient. For the Table search it works like a charm though.

I'd love to hear if there are any other ideas out there on how this is done.

gregbujak · ‎07-18-2013

First thing to point out, this is a great thing to think about. Its terrible when you realize that the reason for inconsistencies is because your column were defined in multiple locations.

Hopefully, there is a better way of doing this, but the way I have done this in the past is by using macros.

First define a no argument macro that provides the column names

(name=blotter_columns)

A B C D E

This macro will be utilized by the search query that produces the table and the macro that helps produce the pulldown.

This macro -

(name=order_columns)

index=my_index | head 1 | table `blotter_columns` | transpose | table column | sort column

In the dashboard xml definition:

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">`order_columns`</param>

<module name="Pulldown">

Hope this helps.

aholzer · ‎07-18-2013

Thanks for your answer @gregbujak. That does actually provide a fairly straightforward way of keeping a centralized list.

Now that search to populate the Pulldown takes at least 1 second to run more like 1.5 seconds. So all things considered it isn't very efficient. For the Table search it works like a charm though.

I'd love to hear if there are any other ideas out there on how this is done.

amit_saxena · ‎07-18-2013

Hi,

Create a flat file with all the fields with every field in a different line prefixed by the text "fieldname=".

Index that file in Splunk and you then create a search that will be used to populate a pulldown or even specify as an arguments to a command via sub search.

Let me know if that helps.

Regards,
Amit Saxena

amit_saxena · ‎07-19-2013

Hi,

I agree with you on that it's not the best solution

Regards,
Amit Saxena

aholzer · ‎07-18-2013

That's an interesting solution. Though wouldn't it become fairly inefficient as time went by and you are searching all-time for those indexed values?

Also, how would you modify existing entries? You'd have to delete the indexed value and re-index the flat file with the changes. Seems a bit of a hassle for something that should be fairly straight forward.

Managing a list of column headers in a single location for multiple purposes

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases