Databases Reference
In-Depth Information
Let's step through our values, as follows:
•
Name
: This can be anything. Let's name it after our time frame.
•
Label
: This is what will appear in the menu. You may notice two special
fields,
@field_name
and
@field_value
. These two fields only make sense
when
Show action in
is set to
Fields menus
.
There are a number of
@variables
available to workflow actions.
Search
http://docs.splunk.com/
for
Create workflow
actions in Splunk
to find complete documentation.
•
Apply only to the following fields:
: This can be blank or
*
to indicate
all fields.
•
Show action in
: We have chosen
Fields menus
in this case.
•
Action type
: We are running a search. It's a fairly strange search, as we
are using a macro, but it is still technically a search.
•
Search string
: The fact that this query is a macro doesn't matter to the
workflow action,
`context("$@field_name$", "$@field_value$", "$_
time$", "-1m", "+5m")`
. We will create the
context
macro next.
•
Run in app
: With nothing chosen, this macro will execute the search in
the current app.
•
Open in view
: We want to make sure that our query executes in
flashtimeline
, so we explicitly set it.
•
Run search in
: We choose
New window
.
•
Time
: Contrary to the previous advice, we have left the time frame
unspecified. We will be overriding the search times in the search itself.
Anything specified here will be replaced.
After clicking on
Save
, the workflow action is available on all the field menus.
Search WWH ::
Custom Search