Dashboards & Visualizations
Highlighted

Example: Simple XML using PostProcess?

Champion

Can someone post a simple example? The documentation uses Advanced XML as the example: http://docs.splunk.com/Documentation/Splunk/6.0.5/AdvancedDev/PostProcess

Highlighted

Re: Example: Simple XML using PostProcess?

Motivator

Hey, here's a simple syntax

<!-- My parent search -->
<search id="xyz">
  <query>.....|stats count by a,b,c,d,e,f,_time</query>
</search>
<!-- post processing reference -->
<chart>
  <search base="xyz">
    <query> timechart count by a span=15m</query>
  </search>
</chart>
<chart>
  <search base="xyz">
    <query>chart count over a by b</query>
  </search>
</chart>

Hope this helps!

View solution in original post

Highlighted

Re: Example: Simple XML using PostProcess?

Champion

FYI: This syntax is only supported in Splunk 6.2+

0 Karma
Highlighted

Re: Example: Simple XML using PostProcess?

Engager
0 Karma
Highlighted

Re: Example: Simple XML using PostProcess?

Path Finder

with global and local time inputs the post processing mechanism not working .. why ?

0 Karma
Highlighted

Re: Example: Simple XML using PostProcess?

Influencer

From the Splunk 6.x Dashboard Examples app here:

<form>
  <label>Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline.</description>
  <searchTemplate>index=_internal | head 1000</searchTemplate>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes</title>
      <searchPostProcess>top limit=100 sourcetype | eval percent = round(percent,2)</searchPostProcess>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>
Highlighted

Re: Example: Simple XML using PostProcess?

Communicator

FYI this is the syntax for Splunk 6.0 and 6.1, which only allowed one base search. Splunk 6.2 allows multiple base search (distinguished by ids).