Add searches with search managers

The Splunk Web Framework represents a search using a search manager. You can think of a search manager like a wrapper around a search that includes the search query (for example, "index=main | head 100 | timechart count by sourcetype") and the properties of the search (for example, the search mode or the time range to search). The search manager handles the operation of the search (start, cancel, pause, etc.) and the lifetime of the search by listening for certain events, so you can monitor the progress of the search. Your searches are dynamic, too―when you change the search query or search properties, the search manager cancels the old search and starts a new one.

The Web Framework provides different types of search managers depending on the type of search you are creating:

  • SearchManager manages a search job, where you provide a search query and additional properties.
    • Provide a search query but do not include the "search" command. The query can include data-binding token variables, such as "$indexName$", to share values with other Splunk views. For more, see Bind data using tokens.
    • Set properties to customize the search job, such as the earliest and latest times to search, whether to enable or disable preview results, and more.
    • Set properties that indicate how to run the search, such as whether to automatically start a search when a page is loaded, or whether to retrieve cached search results when available.
  • PostProcessManager manages a post-process search, which is based on a main search. Rather than running multiple searches that are variations on the same search, you can set up a base search manager and use additional post-process search managers to save search resources. The main search should pass results, not events, to the post-process search (for more about post-process search limitations and forming a base search, see Post-process searches in the Dashboards and Visualizations manual). This manager only takes a search query and the ID of the main search.
  • SavedSearchManager manages a single saved report. This search manager behaves the same as SearchManager, except the search query and properties have been saved previously so you just provide the saved report name instead of a search query.

Each of these search managers has a number of properties, methods, and events―properties to customize the search, methods to manage the operation of the search (such as pausing or canceling), and events to indicate the search progress. For a list of properties, methods, and events, see the Splunk Web Framework Component Reference.

See the following features of search managers:

Examples

The following is an example of a search manager:

var mysearch = new SearchManager({
    id: "search1",
    preview: true,
    cache: true,
    status_buckets: 300,
    search: "index=_internal | head 1000 | stats count by sourcetype"
});

The following is an example of saved search manager:

var mysavedsearch = new SavedSearchManager({
    id: "savedsearch1",
    searchname: "Top five sourcetypes",
    app: "search"
});

The following is an example of a main search with two post-process search managers:

var searchmain = new SearchManager({
    id: "main-search",
    search: "index=_internal | head 100 | fields *",
    preview: true,
    cache: true
});

var searchpostproc1 = new PostProcessManager({
    id: "postprocsearch1",
    managerid: "main-search",
    search: " | stats count by sourcetype"
});

var searchpostproc2 = new PostProcessManager({
    id: "postprocsearch2",
    managerid: "main-search",
    search: " | fields sourcetype, source, host"
});