Dashboards & Visualizations

How can I effectively retrieve the SIDs for each component of the chained search?

michel_wolf
Path Finder

I'm currently working on an XML dashboard in Splunk where I've set up a chained search that builds upon a base search. My objective is to retrieve the SID (Search ID) for the chained search itself, rather than just obtaining the SID of the base search, which currently happens when I use the addinfo command.

When I apply the addinfo command within the chained search, it only provides me with the SID of the base search, and I'm looking to access the SIDs associated with the extended search queries within the chained search. How can I effectively retrieve the SIDs for each component of the chained search, including the extended queries, using the addinfo command or any alternative methods? 

Sample

 

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
  </search>
      <table>
        <search base="baseSearch">
          <done>
            <set token="job_exportTocsv">$job.sid$</set>
          </done>
          <query>| stats count by A 
		| addinfo
	</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

The job.sid you can see or which is added from addinfo shows only the results from the basesearch in this example, if you make a |loadjob $job.sid$ which is provided by the chained search you will see the results from the basesearch | table A B C D E F _time  instead of the |stats count by A.

So it looks like the chained searches handels different instead of a basesearch, it was also not possible for me to find the chained search in Activity --> Jobs or access this search via REST Endpoint.

Any ideas here two access the results from the chained search?

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

TheEggi98
Path Finder

I just found an imo ugly Workaround for that.

Basically its not directly postprocessing search.

Its using the SID of the basesearch and loads it using | loadjob with the "postprocessing" query,
that creates an own SID for the further search, that can be used to export the results.

But i have no clue how its differs to postprocessing searches in terms of performance/resource usage

 

<form theme="dark" version="1.1">
  <label>test</label>
  <search id="baseSearch">
    <query>
     index="test"
      | table A B C D E F _time 
    </query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
	<done>
      <set token="job_to_exportTocsv">$job.sid$</set>
    </done>
  </search>
  
  <row>
    <panel>
	  <html depends="$job_exportTocsv$">
         <a target="_blank" class="btn" href="/api/search/jobs/$jobexportTocsv$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=csv_export&amp;outputMode=csv" role="button">CSV Export</a>
      </html>
      <table>
	  <search>
		  <query>
			| loadjob $job_to_exportTocsv$
			| stats count by A 
		   	| addinfo
		  </query>
		  <done>
			<set token="job_exportTocsv">$job.sid$</set>
	      </done>
		</search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

richgalloway
SplunkTrust
SplunkTrust

The term "chained search" is used by Dashboard Studio.  In XML dashboards we call them post-processing searches.

The base search is the only search.  The post-processing queries merely refine the results from the base search.  This is how we get better dashboard performance.

---
If this reply helps you, Karma would be appreciated.

michel_wolf
Path Finder

Thanks for the clearification, so it´s looks like post-processing searches and chained searches, doesn´t provide a SID so it´s not possible to access the refine results here.

This is okay for me then I will work on antoher way.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...