Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to use "map" command in post process dashboard

sairamrambappa
New Member
‎04-15-2018 10:32 PM

I have a base search

    <search id="Extra">
      <query>index=reports | stats count by reportname</query>
      <earliest>$time1.earliest$</earliest>
      <latest>$time1.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
  </table>
</panel>
<panel>
  <title>Offer's</title>
  <table>
    <search base="Extra">
      <query> |map search="search index=offered   reportname=$reportname$ |table Offer" maxsearches=0 | dedup Offer </query>
    </search>
    <option name="count">10</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>

the problems is the second search is not giving results.its displaying as "waiting for input" and when I click the magnify glass in the panel it redirects to a search "undefined"

instead of map command if i use any other thing it gives results

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-16-2018 07:20 AM

You can solve your most immediate issue by replacing this:

|map search="search index=offered reportname=$reportname$ |table Offer"

with this:

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

See the following two docs for info about needing to wrap variable strings in double dollar signs when using map in a dashboard:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Map
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/tokens

But this is likely to run you into some timeout issues with the post-process search, and this is almost certainly not the most efficient way to return the results you're looking for. Given the overall structure of the base and post-process search, I'd strongly recommend doing away with the current approach and just use this as a single search with a subsearch:

<panel>
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query>index=offered [ search index=reports | stats count by reportname | fields reportname ] | table Offer | dedup Offer </query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
</panel>

Here's a link to another post where I explain why map is generally a bad choice if you can avoid it at all:
https://answers.splunk.com/answers/618837/why-is-my-map-command-returning-an-error-when-ther-1.html#...
It explains how Splunk expands a subsearch like the one I'm proposing here vs. how Splunk expands the mapped subsearches.

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-16-2018 07:20 AM

You can solve your most immediate issue by replacing this:

|map search="search index=offered reportname=$reportname$ |table Offer"

with this:

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

See the following two docs for info about needing to wrap variable strings in double dollar signs when using map in a dashboard:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Map
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/tokens

But this is likely to run you into some timeout issues with the post-process search, and this is almost certainly not the most efficient way to return the results you're looking for. Given the overall structure of the base and post-process search, I'd strongly recommend doing away with the current approach and just use this as a single search with a subsearch:

<panel>
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query>index=offered [ search index=reports | stats count by reportname | fields reportname ] | table Offer | dedup Offer </query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
</panel>

Here's a link to another post where I explain why map is generally a bad choice if you can avoid it at all:
https://answers.splunk.com/answers/618837/why-is-my-map-command-returning-an-error-when-ther-1.html#...
It explains how Splunk expands a subsearch like the one I'm proposing here vs. how Splunk expands the mapped subsearches.

Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 09:31 AM

| map [ search index=offered reportname="$$reportname$$" | table Offer ]

This worked like a charm !! Thank you ............but its slow

0 Karma
Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 10:39 AM

But When the "map" panel has no values it is giving an error like dis

Error in 'map': Did not find value for required attribute 'reportname'.

is there any way I can hide this ?

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 11:54 AM

Do you want the whole panel hidden, or are you OK with it just saying no results found? If the latter, then just add fill null reportname value="" before the call to map.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 12:32 PM

Ok, in this case you'll need something like this:

<search id="Extra">
       <query>index=reports | stats count by reportname</query>
       <earliest>$time1.earliest$</earliest>
       <latest>$time1.latest$</latest>
    <done>
      <condition match="$job.resultCount$ != 0">
        <set token="showResults"></set>
      </condition>
    </done>
     </search>
    <init>
      <unset token="showResults"></unset>
    </init>
     <option name="count">10</option>
     <option name="drilldown">none</option>
   </table>
 </panel>
 <panel depends="$showResults$">
   <title>Offers</title>
   <table>
     <search base="Extra">
       <query> | map [ search index=offered reportname="$$reportname$$" | table Offer ] maxsearches=0 | dedup Offer </query>
     </search>
     <option name="count">10</option>
     <option name="refresh.display">progressbar</option>
   </table>
 </panel>

This conditionally sets a token called "showResults" if the result count from the base search is not zero. If the token is set, then the panel will display. The token defaults to being unset because of the <init> element.

0 Karma
Reply
Solved! Jump to solution

sairamrambappa
New Member
‎04-16-2018 11:57 AM

The whole panel to be hidden until we have results.

if there are no results I don't want it to show,please

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-16-2018 09:46 AM

Yes, it will definitely be slow. I strongly urge you to change your approach to direct subsearch that I offered in the XML code sample above!

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-16-2018 05:01 AM

Can you share complete xml? Also can you try to define base search globally instead in panel. Refer this doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms#Create_a_form_with_a_global...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...