All Apps and Add-ons

SearchPostProcess (or postprocessmanager) on WebFramework with custom

phoenixdigital
Builder

I have a client who currently has a very complex dashboard with a few custom visualisations written in AdvancedXML.

I am wanting to see if I can convert it to the "new" Splunk Web Framework however there seem to be a few limitations that I have not resolved yet.

My current dashboard has panels that all work from one parent realtime saved search 'Dashboard realtime data search'.

<module name="SavedSearch" layoutPanel="viewHeader" autoRun="True">
        <param name="name">Dashboard realtime data search</param>
        <module name="JobProgressIndicator">
            <module name="EnablePreview">
                <param name="display">False</param>
                <param name="enable">True</param>
            </module>
            <module name="PostProcess" layoutPanel="panel_row1_col1_grp1" group="Station State" autoRun="False">
                <param name="search">where this="that" AND sectionCode="common" | fields totals, range | table totals, range</param>
                <param name="groupLabel">Station State</param>
......
            <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Generator Data">
                <param name="search">where this="theother" AND like(sectionCode,"g%")</param>
                <module name="MyCustomVisualisation"></module>
            </module>

            <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Generator Data">
                <param name="search">where this="theNextOne" AND like(sectionCode,"g%")</param>
                <module name="MyOtherCustomVisualisation"></module>
            </module>
........

Basically it brings in the results of one big parent search in the 'SavedSearch' module.
Each panel then filters out the data it needs from this parent search.

Doing it this way reduces the load on the server as only one realtime search is running for all people viewing this dashboard.

So how to convert it to Splunk Web Framework

Working from the examples provided here in this Splunk app

https://apps.splunk.com/app/1603/

I am wanting to do something like this

SearchPostProcess seems to be the way to get parent/child searches working (note replace your.splunk.intance for links below)

http://your.splunk.intance:8000/en-US/app/simple_xml_examples/simple_search_postprocess?earliest=-24...

How do I incorporate this into a custom visualisation like this?

http://your.splunk.intance:8000/en-US/app/simple_xml_examples/custom_viz_tag_cloud_autodiscover?earl...

I can see that the tagcloud visualisation references the search manager 'tagcloud-search'

"managerid": "tagcloud-search"

But is there a way to filter the results of 'tagcloud-search'?

And then do the same with every other panel?

I worked out you can definitely reference the same search from other panels also but just not sure how to add additional filters to the search.

    <label>Custom Visualization with Auto-Discovery</label>
    <row>
        <table>
            <title>Table</title>
            <searchString>index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor | sort - cpu_seconds</searchString>
            <earliestTime>-24h</earliestTime>
            <latestTime>now</latestTime>
        </table>

        <html>
            <h2>Custom Visualization: Tag Cloud</h2>

            <div id="tagcloud-search"
                 class="splunk-manager splunk-searchmanager "
                 data-require="splunkjs/mvc/searchmanager"
                 data-options='{
                        "app": "infratil",
                        "preview": true,
                        "search": "index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor",
                        "earliest_time": "-24h"
                    }'>
            </div>

            <div id="tagcloud"
                 class="splunk-view"
                 data-require="app/infratil/components/rawdump/rawdump"
                 data-options='{
                        "minFontSize": 14,
                        "maxFontSize": 55,
                        "managerid": "tagcloud-search",
                        "valueField": "cpu_seconds",
                        "labelField": "processor"
                     }'>
            </div>
        </html>

    </row>
    <row>
        <html>
            <h2>Custom Visualization: Tag Cloud 2</h2>

            <div id="tagcloud2"
                 class="splunk-view"
                 data-require="app/infratil/components/rawdump/rawdump"
                 data-options='{
                        "minFontSize": 14,
                        "maxFontSize": 55,
                        "managerid": "tagcloud-search",
                        "valueField": "cpu_seconds",
                        "labelField": "processor"
                     }'>
            </div>
        </html>
    </row>
</dashboard>

Is this potentially how I should be doing it?

http://answers.splunk.com/answers/169754/splunk-django-webframework-cascading-form-search.html

Just not 100% sure how to translate this to SimpleXML

0 Karma
1 Solution

phoenixdigital
Builder

OK based on that other answer I linked to in the question it was definitely the right track.

I messed around with the "Tag Cloud Autodiscover" dashboard in the Splunk 6 Example searches app and got it sorted.

Ref : http://your.splunk.intance:8000/en-US/app/simple_xml_examples/custom_viz_tag_cloud_autodiscover?earl...

The key bit was just making a postprocessmanager which referenced the original manager.

Full code here

<dashboard script="autodiscover.js">
        <label>Custom Visualization with Auto-Discovery</label>
        <row>
            <table>
                <title>Table</title>
                <searchString>index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor | sort - cpu_seconds</searchString>
                <earliestTime>-24h</earliestTime>
                <latestTime>now</latestTime>
            </table>

            <html>
                <h2>Custom Visualization: Tag Cloud</h2>

                <div id="tagcloud-search"
                     class="splunk-manager splunk-searchmanager "
                     data-require="splunkjs/mvc/searchmanager"
                     data-options='{
                            "app": "myapp",
                            "preview": true,
                            "search": "index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor",
                            "earliest_time": "-24h"
                        }'>
                </div>

                <div id="tagcloud-searchpostprocess"
                     class="splunk-manager splunk-searchmanager "
                     data-require="splunkjs/mvc/postprocessmanager"
                     data-options='{
                            "managerid": "tagcloud-search",
                            "search": "| where like(processor,\"s%\")"
                        }'>
                </div>              

                <div id="tagcloud"
                     class="splunk-view"
                     data-require="app/infratil/components/rawdump/rawdump"
                     data-options='{
                            "minFontSize": 14,
                            "maxFontSize": 55,
                            "managerid": "tagcloud-search",
                            "valueField": "cpu_seconds",
                            "labelField": "processor"
                         }'>
                </div>
            </html>

        </row>
        <row>
            <html>
                <h2>Custom Visualization: Tag Cloud 2</h2>

                <div id="tagcloud2"
                     class="splunk-view"
                     data-require="app/infratil/components/rawdump/rawdump"
                     data-options='{
                            "minFontSize": 14,
                            "maxFontSize": 55,
                            "managerid": "tagcloud-searchpostprocess",
                            "valueField": "cpu_seconds",
                            "labelField": "processor"
                         }'>
                </div>
            </html>
        </row>
</dashboard>

View solution in original post

0 Karma

phoenixdigital
Builder

OK based on that other answer I linked to in the question it was definitely the right track.

I messed around with the "Tag Cloud Autodiscover" dashboard in the Splunk 6 Example searches app and got it sorted.

Ref : http://your.splunk.intance:8000/en-US/app/simple_xml_examples/custom_viz_tag_cloud_autodiscover?earl...

The key bit was just making a postprocessmanager which referenced the original manager.

Full code here

<dashboard script="autodiscover.js">
        <label>Custom Visualization with Auto-Discovery</label>
        <row>
            <table>
                <title>Table</title>
                <searchString>index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor | sort - cpu_seconds</searchString>
                <earliestTime>-24h</earliestTime>
                <latestTime>now</latestTime>
            </table>

            <html>
                <h2>Custom Visualization: Tag Cloud</h2>

                <div id="tagcloud-search"
                     class="splunk-manager splunk-searchmanager "
                     data-require="splunkjs/mvc/searchmanager"
                     data-options='{
                            "app": "myapp",
                            "preview": true,
                            "search": "index=_internal source=*metrics.log group=pipeline | stats max(cpu_seconds) as cpu_seconds by processor",
                            "earliest_time": "-24h"
                        }'>
                </div>

                <div id="tagcloud-searchpostprocess"
                     class="splunk-manager splunk-searchmanager "
                     data-require="splunkjs/mvc/postprocessmanager"
                     data-options='{
                            "managerid": "tagcloud-search",
                            "search": "| where like(processor,\"s%\")"
                        }'>
                </div>              

                <div id="tagcloud"
                     class="splunk-view"
                     data-require="app/infratil/components/rawdump/rawdump"
                     data-options='{
                            "minFontSize": 14,
                            "maxFontSize": 55,
                            "managerid": "tagcloud-search",
                            "valueField": "cpu_seconds",
                            "labelField": "processor"
                         }'>
                </div>
            </html>

        </row>
        <row>
            <html>
                <h2>Custom Visualization: Tag Cloud 2</h2>

                <div id="tagcloud2"
                     class="splunk-view"
                     data-require="app/infratil/components/rawdump/rawdump"
                     data-options='{
                            "minFontSize": 14,
                            "maxFontSize": 55,
                            "managerid": "tagcloud-searchpostprocess",
                            "valueField": "cpu_seconds",
                            "labelField": "processor"
                         }'>
                </div>
            </html>
        </row>
</dashboard>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...