Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I effectively retrieve the SIDs for each component of the chained search?

michel_wolf
Path Finder
‎08-07-2023 08:34 AM

I'm currently working on an XML dashboard in Splunk where I've set up a chained search that builds upon a base search. My objective is to retrieve the SID (Search ID) for the chained search itself, rather than just obtaining the SID of the base search, which currently happens when I use the addinfo command.

When I apply the addinfo command within the chained search, it only provides me with the SID of the base search, and I'm looking to access the SIDs associated with the extended search queries within the chained search. How can I effectively retrieve the SIDs for each component of the chained search, including the extended queries, using the addinfo command or any alternative methods? 

Sample

 

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
  </search>
      <table>
        <search base="baseSearch">
          <done>
            <set token="job_exportTocsv">$job.sid$</set>
          </done>
          <query>| stats count by A 
		| addinfo
	</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

The job.sid you can see or which is added from addinfo shows only the results from the basesearch in this example, if you make a |loadjob $job.sid$ which is provided by the chained search you will see the results from the basesearch | table A B C D E F _time  instead of the |stats count by A.

So it looks like the chained searches handels different instead of a basesearch, it was also not possible for me to find the chained search in Activity --> Jobs or access this search via REST Endpoint.

Any ideas here two access the results from the chained search?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2023 10:24 AM

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

TheEggi98
Path Finder
‎08-08-2023 02:50 AM

I just found an imo ugly Workaround for that.

Basically its not directly postprocessing search.

Its using the SID of the basesearch and loads it using | loadjob with the "postprocessing" query,
that creates an own SID for the further search, that can be used to export the results.

But i have no clue how its differs to postprocessing searches in terms of performance/resource usage

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
	<done>
      <set token="job_to_exportTocsv">$job.sid$</set>
    </done>
  </search>
  
  <row>
    <panel>
	  <html depends="$job_exportTocsv$">
         <a target="_blank" class="btn" href="/api/search/jobs/$jobexportTocsv$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=csv_export&amp;outputMode=csv" role="button">CSV Export</a>
      </html>
      <table>
	  <search>
		  <query>
			| loadjob $job_to_exportTocsv$
			| stats count by A 
		   	| addinfo
		  </query>
		  <done>
			<set token="job_exportTocsv">$job.sid$</set>
	      </done>
		</search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2023 10:24 AM

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

michel_wolf
Path Finder
‎08-07-2023 11:05 PM

Thanks for the clearification, so it´s looks like post-processing searches and chained searches, doesn´t provide a SID so it´s not possible to access the refine results here.

This is okay for me then I will work on antoher way.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...