- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Each searchpostprocess yeilding a new concurre...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each searchpostprocess yeilding a new concurrent search
Hello ,
I have a dashboard with 6 panels. Each panel search is rendered by a master search template and I am using searchPostProcess to run data for each panel.
It seems that each panel is exceuting a new search that means total 6 panels yielding 6 new concurrent searches. Some users who has 3 concurrent searches access are not able to access the dashboard. Is there any way that I can stop the concurrent searches and make a master template search for all panels to run in single search.
I have seen splunk answers and got that to remove JobProgressIndicator modules from hiddenpostprocess and place it at top XML. I tried that too and didnt worked. Below is the advanced xml view of my dashboard.
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
<label>test</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="HiddenSearch" layoutPanel="viewHeader">
<param name="search">
index=test appid=$appid$
| eventstats sum(count) as Total
| stats sum(count) as count by user Total
| eval Percentage=100*(count/Total)
</param>
<module name="ExtendedFieldSearch">
<param name="replacementMap">
<param name="arg">
<param name="appid"/>
</param>
</param>
<param name="field">*App ID</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="appid">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<module name="TimeRangePicker">
<param name="searchWhenChanged">False</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<param name="label">Search</param>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="Status " autoRun="False">
<param name="search">
stats ....
</param>
<param name="groupLabel">Status </param>
<module name="ViewstateAdapter">
<param name="suppressionList"/>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">results</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="entityName">results</param>
<param name="allowTransformedFieldSelect">False</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col2" group="test" autoRun="False">
<param name="search">
stats ...
</param>
<param name="groupLabel">test</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>count</item>
<item>charting.chart.stackMode</item>
<item>charting.secondaryAxis.minimumNumber</item>
<item>charting.legend.placement</item>
<item>charting.chart</item>
<item>charting.gaugeColors</item>
<item>displayRowNumbers</item>
<item>charting.chart.nullValueMode</item>
<item>charting.chart.rangeValues</item>
<item>charting.secondaryAxis.maximumNumber</item>
<item>charting.secondaryAxis.scale</item>
<item>charting.layout.splitSeries</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart.stackMode">default</param>
<param name="charting.secondaryAxis.minimumNumber">""</param>
<param name="charting.gaugeColors">[0xd13b3b,0xf7912c,0xebe42d,0x7e9f44]</param>
<param name="charting.chart">radialGauge</param>
<param name="charting.legend.placement">right</param>
<param name="charting.chart.nullValueMode">gaps</param>
<param name="charting.chart.rangeValues">[80,85,95,98,100]</param>
<param name="charting.secondaryAxis.maximumNumber">""</param>
<param name="charting.secondaryAxis.scale">""</param>
<param name="charting.layout.splitSeries">false</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Short version:: Add a single JobProgressIndicator module, put it just below the SubmitButton module, such that it is a sibling of all the HiddenPostProcess modules. Do not give the JobProgressIndicator module any child modules (aka "downstream" modules). This will solve your problem in that now only one search will be dispatched.
Longer version:
There are two things that are the biggest barriers to understanding the View XML.
The first one is the "upstream" and "downstream" thing. ie if module B isn't downstream from module A, then it cannot use any information or selections from module A, and in fact it has no idea that module A exists at all.
But the second confusing thing is basically "when and where and why and how are searches dispatched in the advanced XML?".
The best thing you can do to solidify your understanding, is get the latest version of the Sideview Utils app for free from the Sideview site, install it and then navigate to "Key techniques > Overview of the advanced xml". That page is the best explanation that I know of, of both of these confusing areas, and it walks through the whole thing starting from simple examples. At the end you'll be "broken" because the extremely unintuitive behavior will make sense to you.
http://sideviewapps.com/apps/sideview-utils/
UPDATE: I'm not sure why the intentions stuff is breaking and giving you that error. I loaded your view locally, got the same thing and I don't actually see what's wrong. Stringreplace intention syntax can be tricky though so it might be some syntax error.
However,
1) you're postprocessing results and then displaying them in a table. Note that if the postProcess search changes the number of result rows at all, the Paginator module will end up drawing the wrong number of page links. If you put Sideview Utils on the Splunk instance then you can use the Sideview Pager module which doesn't suffer from this bug.
2) Intentions can be hard to debug but with Sideview Utils you don't actually need them.
So, in the light of #1 and #2, I took the liberty of rewriting your view using Sideview stuff and as you can see it's quite a bit shorter, and you have no intentions to debug.
<view autocancelinterval="90" isvisible="true" objectmode="SimpleForm" onunloadcanceljobs="true" template="dashboard.html">
<label>test</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="SideviewUtils" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="TextField" layoutPanel="viewHeader">
<param name="name">appid</param>
<param name="template">$name$="$value$"</param>
<param name="label">*App ID</param>
<module name="TimeRangePicker">
<param name="searchWhenChanged">True</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<param name="label">Search</param>
<module name="Search">
<param name="search">
index=test $appid$
| eventstats sum(count) as Total
| stats sum(count) as count by user Total
| eval Percentage=100*(count/Total)
</param>
<module name="JobProgressIndicator"/>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="Status">
<param name="search">
stats count
</param>
<module name="Pager">
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col2" group="test">
<param name="search">
stats count
</param>
<module name="HiddenChartFormatter">
<param name="charting.secondaryAxis.minimumNumber">""</param>
<param name="charting.gaugeColors">[0xd13b3b,0xf7912c,0xebe42d,0x7e9f44]</param>
<param name="charting.chart">radialGauge</param>
<param name="charting.legend.placement">right</param>
<param name="charting.chart.rangeValues">[80,85,95,98,100]</param>
<param name="charting.secondaryAxis.maximumNumber">""</param>
<param name="charting.secondaryAxis.scale">""</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
There's actually quite a few other things you could change but here I changed only enough to eliminate the need for intentions, and I changed Paginator to Pager, and removed some other things that were there only because they're side effects from simple-xml conversion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird. I saved your view locally and I see the same error. Normally that means there's something wrong with the intention syntax although I can't tell what it is in this case. I also updated my answer above (see "UPDATE")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the insight. I have changed my code like below :
But when I reload the dashboard and click on search, its giving PARSER: Applying intentions failed 'unicode' object has no attribute 'get' error. Can you help in fixing this ?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
