Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Trying to use "map" command in post process dashboard

sairamrambappa
New Member
‎04-15-2018 10:32 PM

I have a base search

    <search id="Extra">
      <query>index=reports | stats count by reportname</query>
      <earliest>$time1.earliest$</earliest>
      <latest>$time1.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
  </table>
</panel>
<panel>
  <title>Offer's</title>
  <table>
    <search base="Extra">
      <query> |map search="search index=offered   reportname=$reportname$ |table Offer" maxsearches=0 | dedup Offer </query>
    </search>
    <option name="count">10</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>

the problems is the second search is not giving results.its displaying as "waiting for input" and when I click the magnify glass in the panel it redirects to a search "undefined"

instead of map command if i use any other thing it gives results

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-16-2018 07:20 AM

You can solve your most immediate issue by replacing this:

|map search="search index=offered reportname=$reportname$ |table Offer"

with this:

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

See the following two docs for info about needing to wrap variable strings in double dollar signs when using map in a dashboard:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Map
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/tokens

But this is likely to run you into some timeout issues with the post-process search, and this is almost certainly not the most efficient way to return the results you're looking for. Given the overall structure of the base and post-process search, I'd strongly recommend doing away with the current approach and just use this as a single search with a subsearch:

<panel>
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query>index=offered [ search index=reports | stats count by reportname | fields reportname ] | table Offer | dedup Offer </query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
</panel>

Here's a link to another post where I explain why map is generally a bad choice if you can avoid it at all:
https://answers.splunk.com/answers/618837/why-is-my-map-command-returning-an-error-when-ther-1.html#...
It explains how Splunk expands a subsearch like the one I'm proposing here vs. how Splunk expands the mapped subsearches.

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-16-2018 07:20 AM

You can solve your most immediate issue by replacing this:

|map search="search index=offered reportname=$reportname$ |table Offer"

with this:

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

See the following two docs for info about needing to wrap variable strings in double dollar signs when using map in a dashboard:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Map
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/tokens

But this is likely to run you into some timeout issues with the post-process search, and this is almost certainly not the most efficient way to return the results you're looking for. Given the overall structure of the base and post-process search, I'd strongly recommend doing away with the current approach and just use this as a single search with a subsearch:

<panel>
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query>index=offered [ search index=reports | stats count by reportname | fields reportname ] | table Offer | dedup Offer </query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
</panel>

Here's a link to another post where I explain why map is generally a bad choice if you can avoid it at all:
https://answers.splunk.com/answers/618837/why-is-my-map-command-returning-an-error-when-ther-1.html#...
It explains how Splunk expands a subsearch like the one I'm proposing here vs. how Splunk expands the mapped subsearches.

Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 09:31 AM

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

This worked like a charm !! Thank you ............but its slow

0 Karma
Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 10:39 AM

But When the "map" panel has no values it is giving an error like dis

Error in 'map': Did not find value for required attribute 'reportname'.

is there any way I can hide this ?

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 11:54 AM

Do you want the whole panel hidden, or are you OK with it just saying no results found? If the latter, then just add fill null reportname value="" before the call to map.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 12:32 PM

Ok, in this case you'll need something like this:

<search id="Extra">
       <query>index=reports | stats count by reportname</query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
    <done>
      <condition match="$job.resultCount$ != 0">
        <set token="showResults"></set>
      </condition>
    </done>
     </search>
    <init>
      <unset token="showResults"></unset>
    </init>
     <option name="count">10</option>
     <option name="drilldown">none</option>
   </table>
 </panel>
 <panel depends="$showResults$">
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query> | map [ search index=offered reportname="$$reportname$$" | table Offer ] maxsearches=0 | dedup Offer </query>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
 </panel>

This conditionally sets a token called "showResults" if the result count from the base search is not zero. If the token is set, then the panel will display. The token defaults to being unset because of the <init> element.

0 Karma
Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 11:57 AM

The whole panel to be hidden until we have results.

if there are no results I don't want it to show,please

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 09:46 AM

Yes, it will definitely be slow. I strongly urge you to change your approach to direct subsearch that I offered in the XML code sample above!

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-16-2018 05:01 AM

Can you share complete xml? Also can you try to define base search globally instead in panel. Refer this doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms#Create_a_form_with_a_global...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...