Dashboards & Visualizations

How can I effectively retrieve the SIDs for each component of the chained search?

michel_wolf
Path Finder

I'm currently working on an XML dashboard in Splunk where I've set up a chained search that builds upon a base search. My objective is to retrieve the SID (Search ID) for the chained search itself, rather than just obtaining the SID of the base search, which currently happens when I use the addinfo command.

When I apply the addinfo command within the chained search, it only provides me with the SID of the base search, and I'm looking to access the SIDs associated with the extended search queries within the chained search. How can I effectively retrieve the SIDs for each component of the chained search, including the extended queries, using the addinfo command or any alternative methods? 

Sample

 

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
  </search>
      <table>
        <search base="baseSearch">
          <done>
            <set token="job_exportTocsv">$job.sid$</set>
          </done>
          <query>| stats count by A 
		| addinfo
	</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

The job.sid you can see or which is added from addinfo shows only the results from the basesearch in this example, if you make a |loadjob $job.sid$ which is provided by the chained search you will see the results from the basesearch | table A B C D E F _time  instead of the |stats count by A.

So it looks like the chained searches handels different instead of a basesearch, it was also not possible for me to find the chained search in Activity --> Jobs or access this search via REST Endpoint.

Any ideas here two access the results from the chained search?

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

TheEggi98
Path Finder

I just found an imo ugly Workaround for that.

Basically its not directly postprocessing search.

Its using the SID of the basesearch and loads it using | loadjob with the "postprocessing" query,
that creates an own SID for the further search, that can be used to export the results.

But i have no clue how its differs to postprocessing searches in terms of performance/resource usage

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
	<done>
      <set token="job_to_exportTocsv">$job.sid$</set>
    </done>
  </search>
  
  <row>
    <panel>
	  <html depends="$job_exportTocsv$">
         <a target="_blank" class="btn" href="/api/search/jobs/$jobexportTocsv$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=csv_export&amp;outputMode=csv" role="button">CSV Export</a>
      </html>
      <table>
	  <search>
		  <query>
			| loadjob $job_to_exportTocsv$
			| stats count by A 
		   	| addinfo
		  </query>
		  <done>
			<set token="job_exportTocsv">$job.sid$</set>
	      </done>
		</search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

richgalloway
SplunkTrust
SplunkTrust

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.

michel_wolf
Path Finder

Thanks for the clearification, so it´s looks like post-processing searches and chained searches, doesn´t provide a SID so it´s not possible to access the refine results here.

This is okay for me then I will work on antoher way.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...