Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calling multiple Search Templates in a form

alenseb
Communicator
‎11-27-2012 08:55 PM

Hi All,

I am trying to call to 2 search template in the same form and then display them with different charts.
However, I found the charts in lower part can't show anything unless if remove the first search Template the corresponding charts.
Is this possible to do?

Please suggest.

Thanks!!

This is the code:

<form>
  <label>Simple select drop down</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <searchName>abc</searchName>
  <searchTemplate>sourcetype="search1"</searchTemplate>
  <earliestTime>-300d</earliestTime>
  <latestTime>-0d</latestTime>
  <searchTemplate>"search2"</searchTemplate>
  <earliestTime>-300d</earliestTime>
  <latestTime>-0d</latestTime>
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="dropdown" token="UserName">
      <label>Select user</label>
      <populatingSearch fieldForValue="UserName" fieldForLabel="UserName"><![CDATA[|savedsearch Details|top UserName]]></populatingSearch>
      <choice value="%">All</choice>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>TimeChart</title>
      <option name="charting.chart">pie</option>
    </chart>
    <chart>
      <title>TimeChart</title>
      <option name="charting.chart">bar</option>
    </chart>
  </row>
</form>
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎11-28-2012 03:32 AM

Move the searches inside the charts.

i.e.

<chart>
  <searchTemplate>sourcetype="search1"</searchTemplate>
  <earliestTime>-300d</earliestTime>
  <latestTime>-0d</latestTime>
  <title>TimeChart</title>
  <option name="charting.chart">pie</option>
</chart>

If you have 2 search templates at the same level, one will clobber the other.

If you view the advanced xml (add ?showsource=t to the end of your views URL) you'll see what the simple XML gets converted to.

Whole sections of your forms xml mysteriously disappear.

Here's a working example :

<form>
  <label>Dashboard to convert to Form Search</label>
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default/>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
  </fieldset>
  <row>
    <chart>
      <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(eps) </searchTemplate>
      <earliestTime>-1w</earliestTime>
      <latestTime>-1d</latestTime>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(kbps) </searchTemplate>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">column</option>
    </chart>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎11-28-2012 03:32 AM

Move the searches inside the charts.

i.e.

<chart>
  <searchTemplate>sourcetype="search1"</searchTemplate>
  <earliestTime>-300d</earliestTime>
  <latestTime>-0d</latestTime>
  <title>TimeChart</title>
  <option name="charting.chart">pie</option>
</chart>

If you have 2 search templates at the same level, one will clobber the other.

If you view the advanced xml (add ?showsource=t to the end of your views URL) you'll see what the simple XML gets converted to.

Whole sections of your forms xml mysteriously disappear.

Here's a working example :

<form>
  <label>Dashboard to convert to Form Search</label>
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default/>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
  </fieldset>
  <row>
    <chart>
      <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(eps) </searchTemplate>
      <earliestTime>-1w</earliestTime>
      <latestTime>-1d</latestTime>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(kbps) </searchTemplate>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">column</option>
    </chart>
  </row>
</form>
Reply
Solved! Jump to solution

hartfoml
Motivator
‎10-27-2015 05:44 AM

thanks @jonuwz this helps with my problem as well.

What if you want to use one search for several rows and another search for a few more rows.

Using your example at what level above the row would you put the template and still allow to run separately and only once each time the dashboard is refreshed?

0 Karma
Reply
Solved! Jump to solution

0range
Communicator
‎03-27-2014 02:18 AM

How do the separate searchtemplate work in this example? Is there any performance profit? I do not understand

0 Karma
Reply
Solved! Jump to solution

0range
Communicator
‎03-20-2014 02:29 AM

Is it the same to separate searches in every chart?

0 Karma
Reply
Solved! Jump to solution

alenseb
Communicator
‎11-28-2012 09:57 PM

Thanks!
That worked! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...