Dashboards & Visualizations
Highlighted

Can I define multiple searchTemplate in one view?

Communicator

I tried to put second searchTemplate in the view and expect to use searchPostProcess by charts underneath. However, I found the charts in lower part can't show anything unless if remove the first searchTemplate the corresponding charts.

Can anyone tell me how can work it work?

Probably, I can minimize 10 queries into 2 in a view if possible.

Highlighted

Re: Can I define multiple searchTemplate in one view?

Legend

Simple XML? Advanced XML?

0 Karma
Highlighted

Re: Can I define multiple searchTemplate in one view?

Communicator

I tried Simple XML only. I don't mind to Advanced.

So it works with Advanced XML?

0 Karma
Highlighted

Re: Can I define multiple searchTemplate in one view?

Communicator

I have similar situation here.
Is possible to add to queries inside a form?

Anyone's got an answer to this?

0 Karma
Highlighted

Re: Can I define multiple searchTemplate in one view?

Splunk Employee
Splunk Employee

No, you cannot put a second searchTemplate inside SimpleXML.

Old way: Within AdvancedXML, you can specify multiple elements.

New way: The modern way to do it is to use the Web Framework with multiple search artifacts.

I recommend learning the new way.

0 Karma
Highlighted

Re: Can I define multiple searchTemplate in one view?

Splunk Employee
Splunk Employee

Multiple background searches in Simple XML is supported in the upcoming Splunk 6.2 release (announced last week, with a target GA for end of Oct '14).

Here's an example of the new search syntax to enable this functionality:

<dashboard>
  <label>Multiple Searches</label>

  <search id="violations_by_neighborhood">
    <query>index="sf_food_health" sourcetype=sf_food_violations risk_category="*" neighborhood="*"  
| stats count(eval(risk_category="High Risk")) as "High Risk" count(eval(risk_category="Moderate Risk")) as "Moderate Risk" count(eval(risk_category="Low Risk")) as "Low Risk" count as "Total Violations" by neighborhood</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>

  <search id="basic_stats">
    <query>index="sf_food_health" sourcetype=sf_food_violations risk_category=* | stats count(eval(risk_category="High Risk")) as "High Risk" count(eval(risk_category="Moderate Risk")) as "Moderate Risk" count(eval(risk_category="Low Risk")) as "Low Risk" count as Violations</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>

  <row>
    <panel>
      <title>Health Inspection Violations Statistics</title>
      <single>
        <search base="basic_stats">
          <query>stats sum(High Risk)</query>
        </search>
        <option name="beforeLabel">High Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Moderate Risk)</query>
        </search>
        <option name="beforeLabel">Moderate Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Low Risk)</query>
        </search>
        <option name="beforeLabel">Low Risk Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="basic_stats">
          <query>stats sum(Violations)</query>
        </search>
        <option name="beforeLabel">Total Violations:</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
        <option name="refresh.time.visible">false</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Health Inspection Violations by Neighborhood</title>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(High Risk)</query>
        </search>
        <option name="beforeLabel">High Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(Moderate Risk)</query>
        </search>
        <option name="beforeLabel">Moderate Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <single>
        <search base="violations_by_neighborhood">
          <query>stats sum(Low Risk)</query>
        </search>
        <option name="beforeLabel">Low Risk Violations:</option>
        <option name="refresh.time.visible">false</option>
      </single>
      <chart>
        <title>Health Inspection Violations by Neighborhood</title>
        <search base="violations_by_neighborhood">
          <query>sort -"Total Violations" limit=10 
| fields - "Total Violations"</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.fieldColors">{"High Risk":0xD85E3D, "Moderate Risk":0xFAC61D,"Low Risk":0x6BB7C8}</option>
      </chart>
    </panel>
  </row>
</dashboard>