Dashboards & Visualizations

Question regarding multiple dashboard inputs with the same search ref

EricWehrly
Engager

It appears on my dashboard that if I have several inputs that all have the same search ref, that the "waiting for results" rolls from one to the next and so on. The impression I get is that it's re-running the search for each one, but it should just be the same search re-used across inputs.

I tried migrating the source from
< search ref="my search">
to use a base search but it did not like that.

Am I perceiving the functionality correctly? Is there something that I can do to streamline this?

Thank you

Tags (2)
0 Karma

rjthibod
Champion

My experience is that base searches using id="search_name" and then using base="search_name" for input elements does not work.

You can get around this limitation (if it is true) by getting the job SID for the base search and then calling loadjob <YOUR_SID> for the input populating search. That does not seem to have any issue (I use it in my app on Splunk 6.x).

Something like this where the token $base_host_list_sid$ contains the SID for the base search.

<input type="dropdown" token="dashboard_host_filter" searchWhenChanged="true">
  <label>Selected Host</label>
    <search>
      <query>
        | loadjob $base_host_list_sid$
            ...
</input
0 Karma

EricWehrly
Engager

Where are you pulling the SID from? In my environment, SIDs don't really last > 7 days .... would a report have a constant SID that is updated with each run?

0 Karma

rjthibod
Champion

I think it would be helpful if you share more about the dashboard/report because report's typically don't have input options.

Also, is your base search a search in a dashboard or is it coming from a savedsearch? I think that may be where the confusion begins for me.

0 Karma

EricWehrly
Engager

The dashboard XML starts more or less like this:

<form>
  <search id="baseSearch">
    <query>(my query)</query>
    <earliest>$timePicker.earliest$</earliest>
    <latest>$timePicker.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="server1" searchWhenChanged="true">
      <label>Server 1</label>
      <search ref="Prod Boxes"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
    <input type="dropdown" token="server2" searchWhenChanged="true">
      <label>Server 2</label>
      <search ref="Prod Boxes"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
0 Karma

rjthibod
Champion

And where is ref="Prod Boxes" coming from? What is that search supposed to be?

0 Karma

EricWehrly
Engager

I've got a picture of the GUI for the input here:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez

It's set to come from a report, that's scheduled to run daily. The report should kick out all of the hostnames currently in production.

0 Karma

rjthibod
Champion

First, try making fieldforLabel and fieldForValue unique between the two searches. You can disregard my earlier comment about base searches and the SID. I thought you were doing something else.

Also, reports are usually tied to a visualization. The report should be identifiable as a savedsearch, which means you can use the savedsearch command and rename the host fields to be unique. In the example below, I assume your report can be found as the saved search labelled "Prod Boxes". Change that in my example if it is found via a different name.

     <input type="dropdown" token="server1" searchWhenChanged="true">
       <label>Server 1</label>
       <search>| savedsearch "Prod Boxes" | rename host as host1</search>
       <fieldForLabel>host1</fieldForLabel>
       <fieldForValue>host1</fieldForValue>
     </input>
     <input type="dropdown" token="server2" searchWhenChanged="true">
       <label>Server 2</label>
       <search>| savedsearch "Prod Boxes" | rename host as host2</search>
       <fieldForLabel>host2</fieldForLabel>
       <fieldForValue>host2</fieldForValue>
     </input>
0 Karma

EricWehrly
Engager

This would be great. Awesome suggestions.

Unfortunately for me, if I tweak it to match that, I get "node is not allowed here" and the inputs don't populate.

0 Karma

rjthibod
Champion

Where do you see "node is not allowed here"?

Also, what version of Splunk are you running?

0 Karma

EricWehrly
Engager

I see it in the dashboard XML editor.

I'm running Splunk Cloud 6.5.1

0 Karma

rjthibod
Champion

You probably need to check that all of your XML is valid. Can you post all of your XML or double-check it in an XML validator in a text editor or online.

0 Karma

rjthibod
Champion

As a side note, this sounds like a scenario you could populate a lookup in a savedsearch, and then use the lookup to populate these inputs and the report. I do that in my own app for something like this. That way, the lookup's content persist even if you Splunk goes down or the TTL on the search expires.

0 Karma

nickhills
Ultra Champion

Take a look here http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Viz/Savedsearches

Your on the right track - you can use saved searches so that the heavy lifting has occurred before you load the dashboard.

You can also load a single search for the dashboard and then post process the results (depending on the search commands your panels use)

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

The link above is for SplunkCloud (which you tagged) but the Splunk Enterprise version (which I think is a bit more comprehensive) is: http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches

If my comment helps, please give it a thumbs up!
0 Karma

EricWehrly
Engager

Right now I'm following what's outlined in http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Reference_a_search_from_a_report and have two inputs with the same search ref to a report ... however, when I clean my jobs in the manager and refresh the dashboard, I get one entry per input (so two inputs runs the search two times, etc.)

Both of the inputs look like this when referencing the same report:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez

(I'm having a heck of a time getting an image on here so the link will just have to do)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...