topic Re: Multiple Base searches in a dasboard with post processing searches in Dashboards & Visualizations

Multiple Base searches in a dasboard with post processing searches

joydeep741 — Mon, 25 May 2015 07:53:35 GMT

I have a dashboard with 4 panels/searches. I want to implement the following scenario :-

<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>

Re: Multiple Base searches in a dasboard with post processing searches

rsennett_splunk — Mon, 25 May 2015 15:38:07 GMT

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

Re: Multiple Base searches in a dasboard with post processing searches

joydeep741 — Tue, 26 May 2015 13:06:00 GMT

But does this work in splunk v6.0 ?
I am getting "No search query provided. " error

Re: Multiple Base searches in a dasboard with post processing searches

rsennett_splunk — Tue, 26 May 2015 15:03:39 GMT

I believe this feature (multiple base searches) was implemented with 6.1
Current release is 6.2.3 - You may want to plan an upgrade, as you are two pretty major releases behind.
You can only have one base search in the version you're using and the syntax is different.

Re: Multiple Base searches in a dasboard with post processing searches

matthieu_araman — Tue, 26 May 2015 15:06:54 GMT

this is Splunk 6.2+ syntax which allow to name searches and reuse them.
I find it much easier and more powerfull that the postprocess stanzas.

So I would advice you to upgrade to be able to use this
Alternatively, there may be a possibility that's doable with advancedxml but never explored it.

Re: Multiple Base searches in a dasboard with post processing searches

landen99 — Tue, 12 Jan 2016 21:16:53 GMT

How do you implement multiple times with multiple time pickers into these multiple base searches?

Re: Multiple Base searches in a dasboard with post processing searches

landen99 — Fri, 18 Mar 2016 00:21:52 GMT

Base searches should be rendered in reporting format. To the first base search, I recommend adding

| stats count by sourcetype _time

possibly with bucket _time span=30m

Re: Multiple Base searches in a dasboard with post processing searches

androchentw — Thu, 26 Oct 2017 07:49:46 GMT

FYI: the example of official document is here: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_examples

Re: Multiple Base searches in a dasboard with post processing searches

niketn — Thu, 26 Oct 2017 08:09:57 GMT

@androchentw, it is better to use latest instead of version so that the Splunk Documentation Link remains applicable to latest version until something is deprecated or removed or moved to a new link

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_examples

Re: Multiple Base searches in a dasboard with post processing searches

rsennett_splunk — Thu, 26 Oct 2017 15:51:19 GMT

Updating with most recent doc for 7.0
http://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2

Re: Multiple Base searches in a dasboard with post processing searches

rsennett_splunk — Thu, 26 Oct 2017 15:53:25 GMT

normally I'd agree regarding "latest" but since these answers discussions live forever it's maybe better to assume that, and put the version you refer to. otherwise it makes for a wild goose chase when you find the EXACT answer to your question in an 'old' answer but have no feature/time context. :). But I see your point.

Re: Multiple Base searches in a dasboard with post processing searches

sjodle — Fri, 03 Nov 2017 19:58:38 GMT

I should note that the Simple XML Reference (http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#dashboard_or_form) contradicts this - the schema shows a maximum of one search per dashboard or form, though multiple do work.

Re: Multiple Base searches in a dasboard with post processing searches

rharrisssi — Wed, 29 Nov 2017 19:23:02 GMT

All of a sudden in 6.6.X you cannot put the base search in the same location as in rsennett's example. This is particularly annoying because if you do it from the filesystem there are no problems.