Post Process Searches in Dashboard Studio

nathanielchin · ‎08-27-2024

How can I implement a post process search using the Dashboard Studio framework?

I can see that there is excellent documentation for doing this XML (Searches power dashboards and forms - Splunk Documentation), but I can't seem to find relevant information for how to do this in the markdown for Dashboard Studio. Note: I am not attempting to use a savedSearch.

gcusello · ‎08-27-2024

Hi @nathanielchin ,

as @ITWhisperer said, in Dashboard Studio there isn't the Post process Search feature, but it's available a very near feature called "chained searches".

In other words, you have to create your base search and then create the other searches starting from the base search, chaining the new search to it.

For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/dsChain

Ciao.

Giuseppe

nathanielchin · ‎08-28-2024

I'm familiar with "Chain Searching" - however, when chain searches execute, they also refresh the base search as well as all of the other linked chain searches. This is great for its use case.

However, what I'm intending to do is have a base result set that I can then execute further queries/filters against to display filtered data without having to refresh/re-execute the base search.

Similar to as if I were to use loadjob. The reason I can't use loadjob currently is because I cannot set the base search as a saved search, so I'm looking for a way around this. I also don't quite know how/if it's possible to implement loadjob <sid> into my dashboard based on a sid from another table within the dashboard.

ITWhisperer · ‎08-28-2024

Set your primary data source to a search like this

|  loadjob $<data source which loads your saved search>:job.sid$

The primary search which loads your saved search need to allow access to its metadata e.g.

nathanielchin · ‎08-28-2024

This is the result of the snippet I posted.

nathanielchin · ‎08-28-2024

I don't have a "saved search" for this query, unfortunately, as I'm not yet able to make an actual "saved search".

Just trying to perform some filtering on the results of a search made within the dashboard without reloading the search.

I've attempted what I think it is that you're proposing, but the "PostProcessTable"/"PostProcessSearch", which is supposed to load the job from the "BaseTable"/"BaseSearch" is not loading. Instead, it notes reads, "Waiting for input...".

I will note that I am on Splunk version 9.0.4, and the switch you pointed out "Access search results or metadata" reads as "Use search results or job status as tokens" in my version of Dashboard Studio. I'm not sure if the issue is:

my version of splunk being 9.0.4
the fact that I'm not using a saved search
or I'm implementing your proposal incorrectly (very very possible)

See example snippet below:

 "visualizations": {
"viz_A2Ecjpct": {
"type": "splunk.table",
"dataSources": {
"primary": "ds_fpJiS8Hp"
},
"title": "BaseTable"
},
"viz_Ok7Uvz2b": {
"type": "splunk.table",
"title": "PostProcessTable",
"dataSources": {
"primary": "ds_q4BDo5Wr"
}
}
},
"dataSources": {
"ds_fpJiS8Hp": {
"type": "ds.search",
"options": {
"query": "| makeresults count=5",
"queryParameters": {
"earliest": "-15m",
"latest": "now"
},
"enableSmartSources": true
},
"name": "BaseSearch"
},
"ds_q4BDo5Wr": {
"type": "ds.search",
"options": {
"query": "| loadjob $ds_fpJiS8Hp:job.sid$",
"enableSmartSources": true
},
"name": "PostProcessSearch"
}
},

ITWhisperer · ‎08-27-2024

Do you mean chained searches?

Post Process Searches in Dashboard Studio

Dashboard Studio

other

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake