All,
I have a simple table visualization on a dashboard and I want to have the option to filter down to specific values for each column. For example, I have a column for the disk drive that data is coming from (for some machines this could be a C:, D:, E:, for others just a G:, etc) and I want to only show rows that have disk drive C:.
Right now I have a selector above the table that lists all the possible drives, sets a form input, and reissues a search for the tables content. That's annoying, since you have to wait for data to return again, even though you already know it's a subset of the data already in the table.
Does anyone know if there's a way I can filter a table like this without needing to reissue the query? Thanks!
Very late response, you might have figured a solution, but this is what I did for one of our use cases.
With text input with token "filtertext" and below post process search, can filter all the columns in the table.
| foreach * [eval filter=if((filter=1 OR match('<>',"(?i).$filtertext$.")),1,0)] | search filter=1 | fields - filter
Sometimes you end up with a dashboard running searches that are similar. You can save search resources by creating a base search for the dashboard. Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.
More here.
Post-process searches have limitations.
If the base search is a non-transforming search, Splunk Enterprise retains only the first 10,000 events returned. The post-process search does not process events in excess of this 10,000 event limit, silently ignoring them. This results in incomplete data for the post-process search. A transforming search as the base search helps avoid this limitation.
If the post-processing operation takes too long, it can exceed Splunk Web client’s non-configurable timeout value of 30 seconds. This can result in a timeout due to an unresponsive splunkd daemon/service. This scenario typically happens when you use a non-transforming search as the base search.
From the docs:
You can use a post-process search to dynamically populate inputs to a form. The following example shows a form with two inputs. The drop-down list, which selects an index to search, defines the choices statically. The drop-down list to select a source type statically defines the default choice but uses a post-process search to dynamically define the other choices.
Base search for populating the source type dropdown
index=_internal | stats count by sourcetype
Post process for dropdown input
| search sourcetype=splunkd*
<form>
<label>Post Process in Form Inputs</label>
<!-- Global search for post process by dropdown input -->
<!-- Search uses stats command to limit results to less than 10,000 limit -->
<search id="searchInput">
<query>index=_internal | stats count by sourcetype</query>
<earliest>-60min</earliest>
<latest>now</latest>
</search>
<fieldset submitButton="false">
<!-- Select an index from two static choices -->
<input type="dropdown" token="index_tok" searchWhenChanged="true">
<label>Select an index to search</label>
<choice value="_internal">Internal</choice>
<choice value="*">All public indexes</choice>
<default>_internal</default>
</input>
<!-- Dynamically populate choices -->
<input type="dropdown" token="sourcetype_tok" searchWhenChanged="true">
<label>Select a source type</label>
<!-- default choice is all sourcetypes -->
<choice value="*">All sourcetypes</choice>
<default>*</default>
<!-- Post-process search to dynamically populate choices -->
<search base="searchInput">
<query>search sourcetype=splunkd*</query>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
</input>
<input type="time" token="time_tok" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Chart</title>
<search>
<query>
index=$index_tok$ sourcetype=$sourcetype_tok$ | timechart count
</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</chart>
</panel>
</row>
</form>
I don't think this is quite what I want.
Imagine I have a search that returns a table of restaurant information. I have a zip code input that drives the initial population of the table (e.g. get me all restaurants in that zip code). The table is then populated with a bunch of columns, two of which are "cuisine" and "average price." I want to filter down the table to only Italian cuisine and order by average price. Right now, I need to have an input that reissues the query with the "Italian" filter.
All I should need to do is have a filter on the table. Issuing a separate query is unnecessary and adds unneeded load time to the dashboard. If this functionality doesn't exist, I can file an enhancement request.
Bruce, did you get this answered? I have the same question. Thanks.
Hi jasonang - I didn't get a response, but I did file an enhancement request. Case 303365