If the saved search makes use of them, great, if not, no harm done. For example, if there's a $host$ token defined, make $host$ available to the saved search. All that needs to be done is take any inputs defined in the dashboard and make them available to the savedsearch. Solved: I'm trying to find how to get the REST API endpoints for saved searches, but I'm finding conflicting information. I envision something like: indexnetwork sourcetypecisco call existing report MalwareHits rename ip as query fields query I know the search part works, but I hate to actually duplicate the entire malwarehits report inline. I'm going to submit this as a feature request. This would make it MUCH easier to maintain code and simplify viewing big complex searches. We've got ~4,500 hosts so that's a non-starter. The savedsearch would have to run against all hosts and then filter in the ones that you actually wanted. The 2nd option you presented isn't feasible. All knowledge objects can be edited and managed via Manager. Saved searches are a type of knowledge object (along with other kinds of user-created metadata like event types, tags, lookups, transactions, workflow actions, and so on). If an issue is found in a particular search the fix is going to need to be applied to all of the dashboards I created To edit or delete a saved search, you need to use Splunk Manager, as Becky states above. There will be variations of how the same data is searched and presentedĢ. That way they can focus on presenting the data that's unique to their job.ġ. They should just be able to pick the reports that they want to see in a dashboard and add them to their panels. In your case, its looking for a savedsearch owned by 'admin' user and created in the 'search' app. I don't believe it's a good use of their time creating a chart that shows "processor time" since I've already done it, correctly. Its not working because youre using /servicesNS/ (Namespace) endpoint, which forces the user and app context. I've got hundreds of developers, testers and analysts all creating dashboards for their little corner of the world. Write it once and then let everyone utilize it. The model I wanted to move to was essentially treating 'savedsearches' like SQL stored procedures. The goal of this exercise was to move away from inline searches. How do I pass in $host$ from the input to the saved search? Search = host=$host$ | dedup host | table host You should quote the search string with double quotes ', but if you have to use double quotes within the search string to quote the name of a saved search, you probably need to quote those in turn by using double double-quotes '' in place of the single ones. In order to accomplish this I need to be able to pass parameters to the saved search such as host name, time range, span etc But basically, because the Windows CMD shell has strange rules. I want to use saved searches in my dashboards for certain types of searches, mostly based on perfmon.Īs the searches are tuned / modified all dashboards referencing that saved search will get the updated content.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |