Dashboards & Visualizations

Can I define multiple searchTemplate in one view?

philip_wong
Communicator

I tried to put second searchTemplate in the view and expect to use searchPostProcess by charts underneath. However, I found the charts in lower part can't show anything unless if remove the first searchTemplate the corresponding charts.

Can anyone tell me how can work it work?

Probably, I can minimize 10 queries into 2 in a view if possible.

nfilippi_splunk
Splunk Employee
Splunk Employee

Multiple background searches in Simple XML is supported in the upcoming Splunk 6.2 release (announced last week, with a target GA for end of Oct '14).

Here's an example of the new search syntax to enable this functionality:

<dashboard>
  <label>Multiple Searches</label>

  <search id="violations_by_neighborhood">
    <query>index="sf_food_health" sourcetype=sf_food_violations risk_category="*" neighborhood="*"  
| stats count(eval(risk_category="High Risk")) as "High Risk" count(eval(risk_category="Moderate Risk")) as "Moderate Risk" count(eval(risk_category="Low Risk")) as "Low Risk" count as "Total Violations" by neighborhood</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>

  <search id="basic_stats">
    <query>index="sf_food_health" sourcetype=sf_food_violations risk_category=* | stats count(eval(risk_category="High Risk")) as "High Risk" count(eval(risk_category="Moderate Risk")) as "Moderate Risk" count(eval(risk_category="Low Risk")) as "Low Risk" count as Violations</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>

  <row>
    <panel>
      <title>Health Inspection Violations Statistics</title>
      <single>
        <search base="basic_stats">
          <query>stats sum(High Risk)</query>
        </search>
        <option name="beforeLabel">High Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Moderate Risk)</query>
        </search>
        <option name="beforeLabel">Moderate Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Low Risk)</query>
        </search>
        <option name="beforeLabel">Low Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Violations)</query>
        </search>
        <option name="beforeLabel">Total Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Health Inspection Violations by Neighborhood</title>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(High Risk)</query>
        </search>
        <option name="beforeLabel">High Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(Moderate Risk)</query>
        </search>
        <option name="beforeLabel">Moderate Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(Low Risk)</query>
        </search>
        <option name="beforeLabel">Low Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <chart>
        <title>Health Inspection Violations by Neighborhood</title>
        <search base="violations_by_neighborhood">
          <query>sort -"Total Violations" limit=10 
| fields - "Total Violations"</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.fieldColors">{"High Risk":0xD85E3D, "Moderate Risk":0xFAC61D,"Low Risk":0x6BB7C8}</option>
      </chart>
    </panel>
  </row>
</dashboard>

ahall_splunk
Splunk Employee
Splunk Employee

No, you cannot put a second searchTemplate inside SimpleXML.

Old way: Within AdvancedXML, you can specify multiple elements.

New way: The modern way to do it is to use the Web Framework with multiple search artifacts.

I recommend learning the new way.

0 Karma

alenseb
Communicator

I have similar situation here.
Is possible to add to queries inside a form?

Anyone's got an answer to this?

0 Karma

philip_wong
Communicator

I tried Simple XML only. I don't mind to Advanced.

So it works with Advanced XML?

0 Karma

Ayn
Legend

Simple XML? Advanced XML?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...