Problem with reusing a base search with GoogleMaps

berndg · ‎12-23-2010

Hi,

i'm currently trying to "optimize" a dashboard by reusing a base search for different panels.

This is the dashboard I want to "optimize":

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
    <label>DriverDownloadDOS</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="navigationHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
    </module>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">splunk.search.job</param>
        <param name="clearOnJobDispatch">True</param>
        <param name="maxSize">1</param>
    </module>
    <module name="TitleBar" layoutPanel="viewHeader">
        <param name="actionsMenuFilter">dashboard</param>
    </module>

    <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Yesterday abnormal activities" autoRun="True">
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <param name="search">|savedsearch "Calculate downloads to file ratio by ip"|where ratio &lt; 0.005 AND cnt_downloads &gt; 500|sort +ratio</param>            
        <module name="JobProgressIndicator">            
            <module name="EnablePreview">
                <param name="enable">True</param>
                <param name="display">False</param>
                <module name="SimpleResultsTable">
                    <param name="count">25</param>                            
                </module>
            </module>                
        </module>
    </module>                        

    <module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Map View" autoRun="True">
        <param name="search">|savedsearch "Calculate downloads to file ratio by ip"|where ratio &lt; 0.005 AND cnt_downloads&gt;500|geonormalize|eval _geo_count=cnt_downloads|fields _geo_count,_lat,_lng</param>
        <param name="groupLabel">Map View</param>
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <module name="GoogleMaps">
            <param name="scrollwheel">off</param>
            <param name="autoPostProcess">false</param>
            <param name="height">400px</param>
            <param name="zoomLevel">2</param>
            <param name="scaleControl">on</param>
            <param name="mapType">hybrid</param>
            <param name="mapTypeControl">off</param>
            <param name="navigationControl">off</param>
        </module>
    </module>
</view>

This result in the correct map: http://www.freeimagehosting.net/uploads/2d01dd83f5.jpg

Here I want the same Output but reusing the base search:

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
    <label>DriverDownloadDOS</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="navigationHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
    </module>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">splunk.search.job</param>
        <param name="clearOnJobDispatch">True</param>
        <param name="maxSize">1</param>
    </module>
    <module name="TitleBar" layoutPanel="viewHeader">
        <param name="actionsMenuFilter">dashboard</param>
    </module>

    <module name="HiddenSearch"  layoutPanel="panel_row1_col1" autoRun="True">
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <module name="HiddenSavedSearch" autoRun="True">
            <param name="savedSearch">Calculate downloads to file ratio by ip</param>    
            <module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="Yesterday abnormal activities" autoRun="True">
                <param name="search">where ratio &lt; 0.005 AND cnt_downloads &gt; 500|sort +ratio</param>            
                <module name="JobProgressIndicator">            
                    <module name="EnablePreview">
                        <param name="enable">True</param>
                        <param name="display">False</param>
                        <module name="SimpleResultsTable">
                            <param name="count">25</param>                            
                        </module>
                    </module>                
                </module>
            </module>                        
            <module name="HiddenPostProcess" layoutPanel="panel_row1_col2" group="Map View" autoRun="True">
                <param name="search">where ratio &lt; 0.005 AND cnt_downloads&gt;500|geonormalize|eval _geo_count=cnt_downloads|fields _geo_count,_lat,_lng</param>
                <param name="groupLabel">Map View</param>                
                <module name="GoogleMaps">
                    <param name="scrollwheel">off</param>
                    <param name="autoPostProcess">false</param>
                    <param name="height">400px</param>
                    <param name="zoomLevel">2</param>
                    <param name="scaleControl">on</param>
                    <param name="mapType">hybrid</param>
                    <param name="mapTypeControl">off</param>
                    <param name="navigationControl">off</param>
                </module>
            </module>
        </module>
    </module>
</view>

This result in this map visualisation: http://www.freeimagehosting.net/uploads/f543fc852e.jpg

I've no idea whats wrong. Is there a syntax failure or something like that in my dashboard? I'm an absolute newbie with the advanced dashboards. Until now I only used the simple XML-Style dashboards

sideview · ‎12-29-2010

You can learn a lot about how all this works by reading the 'UI Examples for 4.1' app.

Go to the 'launcher' app in your splunk instance and click 'browse other apps', scroll down a long while and then install the app called 'UI Examples for 4.1'. That app has about 60 example views that start you out with tiny hello world configurations and walk you up to more advanced techniques. The pacing is more than a little uneven and you may find it confusing but it is very rewarding to read through.

It is possible to do what you're trying to do. However there are some basic mistakes. You have a HiddenSavedSearch module downstream from HiddenSearch. HiddenSavedSearch will always obliterate the timeRange (because there is always a timerange saved with the saved search even if its the implicit range of 'all time').

Also you will have to read through the view in the UI Examples app called 'using postProcess on dashboards'. It will explain a few things that you will need to understand before using this technique. Notably the saved search you're trying to use probably doesnt refer to all the fields that you're using later in the postProcess, so splunk will not have extracted those fields in the job.

There are also two autorun="True" attributes which will make the UI slightly slower (you should only use one per branch)

But again, plan to spend an hour or two reading through the example views and the documentation in the UI examples app and a lot of this will become clearer.

berndg · ‎01-04-2011

Thank you for the hints. I didn't know that a SavedSearch has always a timeRange. Good to know!
All the fields I use in PostProcess seems to be extracted (I'm able to output them in a table inside a PostProcess).

Problem with reusing a base search with GoogleMaps

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life