I have a dashboard with 4 panels/searches. I want to implement the following scenario :-
<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>
Use the id=
and base=
labels. Name your base searches with id
and refer to them with base
.
<form>
<label>Multiple Post Process Search</label>
<description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
<search id="First_Base_Search">
<query>index=_internal | head 1000</query>
</search>
<search id="Second_Base_Search">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
</search>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>-24h</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<chart>
<title>Events over Time(First)</title>
<search base="First_Base_Search">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes(First)</title>
<search base="First_Base_Search">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
<row>
<chart>
<title>Events Count by Log Level(Second)</title>
<search base="Second_Base_Search">
<query>| stats sum(count) AS count by log_level</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Error Count by Component(Second)</title>
<search base="Second_Base_Search">
<query>| search log_level=error | stats sum(count) AS count by component</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
</form>
All of a sudden in 6.6.X you cannot put the base search in the same location as in rsennett's example. This is particularly annoying because if you do it from the filesystem there are no problems.
Use the id=
and base=
labels. Name your base searches with id
and refer to them with base
.
<form>
<label>Multiple Post Process Search</label>
<description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
<search id="First_Base_Search">
<query>index=_internal | head 1000</query>
</search>
<search id="Second_Base_Search">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
</search>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>-24h</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<chart>
<title>Events over Time(First)</title>
<search base="First_Base_Search">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes(First)</title>
<search base="First_Base_Search">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
<row>
<chart>
<title>Events Count by Log Level(Second)</title>
<search base="Second_Base_Search">
<query>| stats sum(count) AS count by log_level</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Error Count by Component(Second)</title>
<search base="Second_Base_Search">
<query>| search log_level=error | stats sum(count) AS count by component</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
</form>
I should note that the Simple XML Reference (http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/PanelreferenceforSimplifiedXML#dashboard_...) contradicts this - the schema shows a maximum of one search per dashboard or form, though multiple do work.
Updating with most recent doc for 7.0
http://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2
Base searches should be rendered in reporting format. To the first base search, I recommend adding
| stats count by sourcetype _time
possibly with bucket _time span=30m
How do you implement multiple times with multiple time pickers into these multiple base searches?
But does this work in splunk v6.0 ?
I am getting "No search query provided. " error
FYI: the example of official document is here: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_examples
normally I'd agree regarding "latest" but since these answers discussions live forever it's maybe better to assume that, and put the version you refer to. otherwise it makes for a wild goose chase when you find the EXACT answer to your question in an 'old' answer but have no feature/time context. :). But I see your point.
@androchentw, it is better to use latest instead of version so that the Splunk Documentation Link remains applicable to latest version until something is deprecated or removed or moved to a new link
http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_examples
this is Splunk 6.2+ syntax which allow to name searches and reuse them.
I find it much easier and more powerfull that the postprocess stanzas.
So I would advice you to upgrade to be able to use this
Alternatively, there may be a possibility that's doable with advancedxml but never explored it.
I believe this feature (multiple base searches) was implemented with 6.1
Current release is 6.2.3 - You may want to plan an upgrade, as you are two pretty major releases behind.
You can only have one base search in the version you're using and the syntax is different.