It appears on my dashboard that if I have several inputs that all have the same search ref, that the "waiting for results" rolls from one to the next and so on. The impression I get is that it's re-running the search for each one, but it should just be the same search re-used across inputs.
I tried migrating the source from
< search ref="my search">
to use a base search but it did not like that.
Am I perceiving the functionality correctly? Is there something that I can do to streamline this?
Thank you
My experience is that base searches using id="search_name"
and then using base="search_name"
for input elements does not work.
You can get around this limitation (if it is true) by getting the job SID for the base search and then calling loadjob <YOUR_SID>
for the input populating search. That does not seem to have any issue (I use it in my app on Splunk 6.x).
Something like this where the token $base_host_list_sid$
contains the SID for the base search.
<input type="dropdown" token="dashboard_host_filter" searchWhenChanged="true">
<label>Selected Host</label>
<search>
<query>
| loadjob $base_host_list_sid$
...
</input
Where are you pulling the SID from? In my environment, SIDs don't really last > 7 days .... would a report have a constant SID that is updated with each run?
I think it would be helpful if you share more about the dashboard/report because report's typically don't have input options.
Also, is your base search a search in a dashboard or is it coming from a savedsearch? I think that may be where the confusion begins for me.
The dashboard XML starts more or less like this:
<form>
<search id="baseSearch">
<query>(my query)</query>
<earliest>$timePicker.earliest$</earliest>
<latest>$timePicker.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="dropdown" token="server1" searchWhenChanged="true">
<label>Server 1</label>
<search ref="Prod Boxes"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
<input type="dropdown" token="server2" searchWhenChanged="true">
<label>Server 2</label>
<search ref="Prod Boxes"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
And where is ref="Prod Boxes"
coming from? What is that search supposed to be?
I've got a picture of the GUI for the input here:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez
It's set to come from a report, that's scheduled to run daily. The report should kick out all of the hostnames currently in production.
First, try making fieldforLabel
and fieldForValue
unique between the two searches. You can disregard my earlier comment about base searches and the SID. I thought you were doing something else.
Also, reports are usually tied to a visualization. The report should be identifiable as a savedsearch, which means you can use the savedsearch
command and rename the host fields to be unique. In the example below, I assume your report can be found as the saved search labelled "Prod Boxes". Change that in my example if it is found via a different name.
<input type="dropdown" token="server1" searchWhenChanged="true">
<label>Server 1</label>
<search>| savedsearch "Prod Boxes" | rename host as host1</search>
<fieldForLabel>host1</fieldForLabel>
<fieldForValue>host1</fieldForValue>
</input>
<input type="dropdown" token="server2" searchWhenChanged="true">
<label>Server 2</label>
<search>| savedsearch "Prod Boxes" | rename host as host2</search>
<fieldForLabel>host2</fieldForLabel>
<fieldForValue>host2</fieldForValue>
</input>
This would be great. Awesome suggestions.
Unfortunately for me, if I tweak it to match that, I get "node is not allowed here" and the inputs don't populate.
Where do you see "node is not allowed here"?
Also, what version of Splunk are you running?
I see it in the dashboard XML editor.
I'm running Splunk Cloud 6.5.1
You probably need to check that all of your XML is valid. Can you post all of your XML or double-check it in an XML validator in a text editor or online.
As a side note, this sounds like a scenario you could populate a lookup in a savedsearch, and then use the lookup to populate these inputs and the report. I do that in my own app for something like this. That way, the lookup's content persist even if you Splunk goes down or the TTL on the search expires.
Take a look here http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Viz/Savedsearches
Your on the right track - you can use saved searches so that the heavy lifting has occurred before you load the dashboard.
You can also load a single search for the dashboard and then post process the results (depending on the search commands your panels use)
The link above is for SplunkCloud (which you tagged) but the Splunk Enterprise version (which I think is a bit more comprehensive) is: http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches
Right now I'm following what's outlined in http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Reference_a_search_from_a_report and have two inputs with the same search ref to a report ... however, when I clean my jobs in the manager and refresh the dashboard, I get one entry per input (so two inputs runs the search two times, etc.)
Both of the inputs look like this when referencing the same report:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez
(I'm having a heck of a time getting an image on here so the link will just have to do)