Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple Base searches in a dasboard with post processing searches

joydeep741
Path Finder
‎05-25-2015 12:53 AM

I have a dashboard with 4 panels/searches. I want to implement the following scenario :-

<\ FORM>
< searchTemplate >FIRST BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 1 < /postProcessSearch>
< postProcessSearch > Post Processing search 2 < /postProcessSearch>
< searchTemplate >SECOND BASE SEARCH< /searchTemplate >
< postProcessSearch > Post Processing search 3 < /postProcessSearch>
< postProcessSearch > Post Processing search 4 < /postProcessSearch>
<\ /FORM>

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-25-2015 08:38 AM

Use the id= and base= labels. Name your base searches with id and refer to them with base.

<form>
  <label>Multiple Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline. Each Base Search is Named</description>
  <search id="First_Base_Search">
      <query>index=_internal | head 1000</query>
  </search>
   <search id="Second_Base_Search">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="First_Base_Search">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="First_Base_Search">
          <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
  <row>
    <chart>
      <title>Events Count by Log Level(Second)</title>
      <search base="Second_Base_Search">
          <query>| stats sum(count) AS count by log_level</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Error Count by Component(Second)</title>
      <search base="Second_Base_Search">
          <query>| search log_level=error | stats sum(count) AS count by component</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...