Dashboards & Visualizations
Highlighted

Multiple Base searches in a dasboard with post processing searches

Path Finder

I have a dashboard with 4 panels/searches. I want to implement the following scenario :-

<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>

Tags (1)
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Splunk Employee
Splunk Employee

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Path Finder

But does this work in splunk v6.0 ?
I am getting "No search query provided. " error

Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Splunk Employee
Splunk Employee

I believe this feature (multiple base searches) was implemented with 6.1
Current release is 6.2.3 - You may want to plan an upgrade, as you are two pretty major releases behind.
You can only have one base search in the version you're using and the syntax is different.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Communicator

this is Splunk 6.2+ syntax which allow to name searches and reuse them.
I find it much easier and more powerfull that the postprocess stanzas.

So I would advice you to upgrade to be able to use this
Alternatively, there may be a possibility that's doable with advancedxml but never explored it.

Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Engager
0 Karma
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Legend

@androchentw, it is better to use latest instead of version so that the Splunk Documentation Link remains applicable to latest version until something is deprecated or removed or moved to a new link

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_examples




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Splunk Employee
Splunk Employee

normally I'd agree regarding "latest" but since these answers discussions live forever it's maybe better to assume that, and put the version you refer to. otherwise it makes for a wild goose chase when you find the EXACT answer to your question in an 'old' answer but have no feature/time context. :). But I see your point.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Motivator

How do you implement multiple times with multiple time pickers into these multiple base searches?

0 Karma
Highlighted

Re: Multiple Base searches in a dasboard with post processing searches

Motivator

Base searches should be rendered in reporting format. To the first base search, I recommend adding

| stats count by sourcetype _time

possibly with bucket _time span=30m