Dashboards & Visualizations

Multiple Base searches in a dasboard with post processing searches

joydeep741
Path Finder

I have a dashboard with 4 panels/searches. I want to implement the following scenario :-

<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>

Tags (1)
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rharrisssi
Path Finder

All of a sudden in 6.6.X you cannot put the base search in the same location as in rsennett's example. This is particularly annoying because if you do it from the filesystem there are no problems.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

sjodle
Path Finder

I should note that the Simple XML Reference (http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#dashboard_...) contradicts this - the schema shows a maximum of one search per dashboard or form, though multiple do work.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Updating with most recent doc for 7.0
http://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

landen99
Motivator

Base searches should be rendered in reporting format. To the first base search, I recommend adding

| stats count by sourcetype _time

possibly with bucket _time span=30m

landen99
Motivator

How do you implement multiple times with multiple time pickers into these multiple base searches?

0 Karma

joydeep741
Path Finder

But does this work in splunk v6.0 ?
I am getting "No search query provided. " error

androchentw
Engager
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

normally I'd agree regarding "latest" but since these answers discussions live forever it's maybe better to assume that, and put the version you refer to. otherwise it makes for a wild goose chase when you find the EXACT answer to your question in an 'old' answer but have no feature/time context. :). But I see your point.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

niketnilay
Legend

@androchentw, it is better to use latest instead of version so that the Splunk Documentation Link remains applicable to latest version until something is deprecated or removed or moved to a new link

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_examples

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

matthieu_araman
Communicator

this is Splunk 6.2+ syntax which allow to name searches and reuse them.
I find it much easier and more powerfull that the postprocess stanzas.

So I would advice you to upgrade to be able to use this
Alternatively, there may be a possibility that's doable with advancedxml but never explored it.

rsennett_splunk
Splunk Employee
Splunk Employee

I believe this feature (multiple base searches) was implemented with 6.1
Current release is 6.2.3 - You may want to plan an upgrade, as you are two pretty major releases behind.
You can only have one base search in the version you're using and the syntax is different.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!