Dashboards & Visualizations

Module Hiddensearch help

Motivator

Hi ,

I have created a view to display my search results..i have three search queries say Query1,Query2 and Query3 . Now i need to display these search query results in a tabular format ..so i have used the html tag like this in the module....but its not workin ...please help on this.

My three queries are :

Query1 : soucetype="x" somelogic | stats count as A
Query2 : soucetype="y" somelogic | stats count as B
Query3 : soucetype="z" somelogic | stats count as C



soucetype="x" somelogic | stats count as A
soucetype="y" somelogic | stats count as B
soucetype="z" somelogic | stats count as C

    <module name="HTML">
      <param name="html">
      <![CDATA[
      <center>
      <table>
            <tr>
                     <th>A Count </th>
         <th>B Count</th>
         <th>C Count</th>
     </tr>
      <tr> 
      <td>$results[0].A$</td>
       <td>$results[0].B$</td>
      <td>$results[0].C$</td>
      </tr>


      </table>



      </center>
      ]]>
      </param>
  </module>

Its Working fine when i have only one search query inside the module ..but not working for three param tags..need help on this asap..thnx

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You cannot do this. Splunk's HiddenSearch and Sideview's Search module each only take one "search" param.

What you should do is try and combine the logic so that one search, with one set of eval/stats commands, gets you all three results. Feel free to post the three searches as a separate question and we can try and help you to do that.

Or break it into three separate Search modules and three separate HTML modules. (Note that since you're using Sideview Utils anyway in this view there's no reason to use the old HiddenSearch module over the newer Search)


UPDATE
based on the three searches you posted, here are details on how to combine them.

However I'm going to build to it from simpler examples.

1) Let me start with combining just the first two in the most straightforward way possible. The GET/POST should definitely be extracted as a field, and there's a good chance that it's been extracted as a field already called 'method'.

sourcetype="sampledata" (method=POST OR method=GET) | stats count by method

That will get you two rows, one for GET and one for POST.

2) The following builds from there, and gets you a single row, where the GET is a field called 'Requests' and the POST count is a field called Responses.

sourcetype=access_combined (method=POST OR method=GET) | stats count by method | eval foo="1" | xyseries foo method count | fields - foo | rename GET as Requests POST as Responses

3) and last but not least, to put all three together, requires a little more fun:

sourcetype=sampledata (method="POST" OR method="GET" OR action="purchase*") | eval type=if(substr(action,0,8)=="purchase","Purchase",method) | stats count by type | eval foo="1" | xyseries foo type count | fields - foo | rename GET as requests POST as responses Purchase as "NoofPurchases"

View solution in original post

SplunkTrust
SplunkTrust

You cannot do this. Splunk's HiddenSearch and Sideview's Search module each only take one "search" param.

What you should do is try and combine the logic so that one search, with one set of eval/stats commands, gets you all three results. Feel free to post the three searches as a separate question and we can try and help you to do that.

Or break it into three separate Search modules and three separate HTML modules. (Note that since you're using Sideview Utils anyway in this view there's no reason to use the old HiddenSearch module over the newer Search)


UPDATE
based on the three searches you posted, here are details on how to combine them.

However I'm going to build to it from simpler examples.

1) Let me start with combining just the first two in the most straightforward way possible. The GET/POST should definitely be extracted as a field, and there's a good chance that it's been extracted as a field already called 'method'.

sourcetype="sampledata" (method=POST OR method=GET) | stats count by method

That will get you two rows, one for GET and one for POST.

2) The following builds from there, and gets you a single row, where the GET is a field called 'Requests' and the POST count is a field called Responses.

sourcetype=access_combined (method=POST OR method=GET) | stats count by method | eval foo="1" | xyseries foo method count | fields - foo | rename GET as Requests POST as Responses

3) and last but not least, to put all three together, requires a little more fun:

sourcetype=sampledata (method="POST" OR method="GET" OR action="purchase*") | eval type=if(substr(action,0,8)=="purchase","Purchase",method) | stats count by type | eval foo="1" | xyseries foo type count | fields - foo | rename GET as requests POST as responses Purchase as "NoofPurchases"

View solution in original post

Motivator

My three queries are

sourcetype="sampledata" GET | stats count as Req

sourcetype="sampledata" POST | stats count as Res

sourcetype="sampledata" action=purchase* | stats count as Purchase

I would like to show these queries in a table format like this..

RequestCount| ResponseCount | NoofPurchases

45 56 90

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!