Solved: Re: Multiple Base searches in a dasboard with post...

joydeep741 · ‎05-25-2015

I have a dashboard with 4 panels/searches. I want to implement the following scenario :-

<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>

rsennett_splunk · ‎05-25-2015

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rharrisssi · ‎11-29-2017

All of a sudden in 6.6.X you cannot put the base search in the same location as in rsennett's example. This is particularly annoying because if you do it from the filesystem there are no problems.

rsennett_splunk · ‎05-25-2015

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

sjodle · ‎11-03-2017

I should note that the Simple XML Reference (http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#dashboard_...) contradicts this - the schema shows a maximum of one search per dashboard or form, though multiple do work.

rsennett_splunk · ‎10-26-2017

Updating with most recent doc for 7.0
http://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

landen99 · ‎03-17-2016

Base searches should be rendered in reporting format. To the first base search, I recommend adding

| stats count by sourcetype _time

possibly with bucket _time span=30m

landen99 · ‎01-12-2016

How do you implement multiple times with multiple time pickers into these multiple base searches?

joydeep741 · ‎05-26-2015

But does this work in splunk v6.0 ?
I am getting "No search query provided. " error

androchentw · ‎10-26-2017

FYI: the example of official document is here: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_examples

rsennett_splunk · ‎10-26-2017

normally I'd agree regarding "latest" but since these answers discussions live forever it's maybe better to assume that, and put the version you refer to. otherwise it makes for a wild goose chase when you find the EXACT answer to your question in an 'old' answer but have no feature/time context. :). But I see your point.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

niketn · ‎10-26-2017

@androchentw, it is better to use latest instead of version so that the Splunk Documentation Link remains applicable to latest version until something is deprecated or removed or moved to a new link

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_examples

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

matthieu_araman · ‎05-26-2015

this is Splunk 6.2+ syntax which allow to name searches and reuse them.
I find it much easier and more powerfull that the postprocess stanzas.

So I would advice you to upgrade to be able to use this
Alternatively, there may be a possibility that's doable with advancedxml but never explored it.

rsennett_splunk · ‎05-26-2015

I believe this feature (multiple base searches) was implemented with 6.1
Current release is 6.2.3 - You may want to plan an upgrade, as you are two pretty major releases behind.
You can only have one base search in the version you're using and the syntax is different.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Multiple Base searches in a dasboard with post processing searches

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Multiple Base searches in a dasboard with post processing searches

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25