Dashboards & Visualizations

Using base search in drop down list

Communicator

Hello,

We're newbie to Splunk app development and using Splunk 7.3.5.

We wrote a testing app  based on sample here https://docs.splunk.com/Documentation/Splunk/7.3.5/Viz/Buildandeditforms, with a time picker and a drop down list which is populated from the base search.

We think the app will not do anything except populating the drop down list, until user select both time range and choice in the drop down list.

 

However, it doesn't work as expected.   When the page is loaded:

- The drop down list keeps showing Populating...  for long time (usually the same search returns within 1 minute).     Then shows "Search produced no results" at end.

- The searches in panel start to run  when the page is loaded even before any user input.  The search picks the default value in drop down list.

 

We tried to use full search instead of base search, the app works as expected.

We must missed something in the code.    Would anyone please help?

Thanks a lot.

 

 

<form>
  <label>WWW Statistics </label>
  <description>WWW statistics (department, browser information)</description>
  <search id="baseSearch">
      <query>
         <![CDATA[index=application host="landing.itsc.cuhk.edu.hk" sourcetype=access_combined POST OR GET status<400 | rex field=uri "\/(?<deptcode>[^\/]+)\/" 
         ]]>
      </query>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time">
      <label></label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <search base="baseSearch">
        <query>
          fields deptcode  | stats count by deptcode
        </query>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>splu
      <fieldForValue>deptcode</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Access rate for department $d_name$</title>
      <chart>
        <search base="baseSearch">
          <query> fields deptcode useragent| search deptcode=$d_name$ | timechart count</query>
        </search>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Time distribution of browser for department $d_name$</title>
      <chart>
        <search base="baseSearch">
          <query> fields deptcode useragent | search deptcode=$d_name$ | rename useragent as http_user_agent | lookup user_agents http_user_agent | timechart count by ua_family usenull=f useother=f</query>
        </search>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Browser distribution</title>
      <chart>
        <search base="searchBase">
          <query> fields deptcode useragent | search deptcode=$d_name$ |  rename useragent as http_user_agent | lookup user_agents http_user_agent |stats count by ua_family</query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
    <panel>
      <single>
        <title>Total access for department $d_name$ between $fromDate$ and $toDate$</title>
        <search base="baseSearch">
          <query>
            fields deptcode useragent | search deptcode=$d_name$ |stats count
          </query>
          <done>
            <eval token="Tearliest">strftime($baseSearch1.info_min_time$,"%F %T")</eval>
            <eval token="Tlatest">strftime($baseSearch1.info_max_time$,"%F %T")</eval>
            <eval token="fromDate">strftime($earliest$,"%Y%m/%d %H:%M:%S")</eval>
            <eval token="toDate">strftime($latest$, "%Y%m/%d %H:%M:%S")</eval>
          </done>
        </search>
      </single>
    </panel>
  </row>
</form>

 

Labels (2)
0 Karma
1 Solution

Legend

Hi @stwong ,

There are some errors:

in base search:

<query>
    index=application host="landing.itsc.cuhk.edu.hk" sourcetype=access_combined (POST OR GET) status<400 | rex field=uri "\/(?<deptcode>[^\/]+)\/" 
</query>

the initial part "<![CDATA[..." it's for drilldown!

but the main problem is that you didn't inserted the time token in the base search:

it's missing the time tokan name in the Time input

    <input type="time" token="Time">
      <label>periodo</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>

and the time borders in the base search are missing: 

  <search id="baseSearch">
      <query>
         index=application host="landing.itsc.cuhk.edu.hk" sourcetype=access_combined POST OR GET status<400 | rex field=uri "\/(?<deptcode>[^\/]+)\/" 
      </query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
  </search>

for this reason it's so slow, because it searches on all the time!

For more infos about inputs see in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) how to populate a dropdown and how to use it.

Ciao.

Giuseppe

View solution in original post

Communicator

Hi all,  thanks a lot for all of your help.

Fixed the base search issue after adding the time token.

Since we defined submitButton to no/false,  the base search runs automatically as autoRun=true is implied.

Seems we need to set submitButton to true in order to stop the search from running before user selecting the time range.

We modified the fieldset as following and hope to achieve:

1. on page load: populate the drop down list with default time range.  

2. before user input (time and department), searches in panels will not run automatically.

3. if user select a different time range, the drop down list will populate again.

4. if user select a department and press submit botton,  searches in panels will run accordingly with current time range selected (or default if not changed by users).

but seems points 3 and 4 don't work as expected.

Is there anything missed?   Thanks.

  <fieldset submitButton="yes" autoRun="false">
    <input type="time" token="Time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="d_name" searchWhenChanged="false">
      <label>Select a department</label>
      <search base="baseSearch">
        <query>
          fields deptcode | stats count by deptcode
        </query>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
      <choice value="*">All</choice>
    </input>
  </fieldset>

 

Btw, we hope to speed up the dashboard,  can we accelerate a report with the base search ?

Thanks again.

Best Regards

0 Karma

Motivator

You can use a saved search as a base search with

 

<search id="baseSearch" ref="savedSearch"/>

 

As for re-triggering searches to run, I use a token in the search that when the token value changes, will result in the search rerunning. I typically do with with

 

<init>
  <set token="trigger">0</set>
</init>

 

 

Then in the place where I want to trigger the search to run again, this could be a <change> condition or a <done> clause of a search, and do

 

<eval token="trigger">$trigger$+1</eval>

The search will then have 

<search depends="$trigger$">

 

0 Karma

Motivator

@stwong 

In addition to the other comments, I suspect your issue may be because non transforming base searches require a 

| fields a b c 

statement at the end of the search, otherwise it may not return any fields.

See the 'Best practices' section here for a discussion on that.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/Savedsearches

 

Legend

Hi @stwong ,

There are some errors:

in base search:

<query>
    index=application host="landing.itsc.cuhk.edu.hk" sourcetype=access_combined (POST OR GET) status<400 | rex field=uri "\/(?<deptcode>[^\/]+)\/" 
</query>

the initial part "<![CDATA[..." it's for drilldown!

but the main problem is that you didn't inserted the time token in the base search:

it's missing the time tokan name in the Time input

    <input type="time" token="Time">
      <label>periodo</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>

and the time borders in the base search are missing: 

  <search id="baseSearch">
      <query>
         index=application host="landing.itsc.cuhk.edu.hk" sourcetype=access_combined POST OR GET status<400 | rex field=uri "\/(?<deptcode>[^\/]+)\/" 
      </query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
  </search>

for this reason it's so slow, because it searches on all the time!

For more infos about inputs see in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) how to populate a dropdown and how to use it.

Ciao.

Giuseppe

View solution in original post

SplunkTrust
SplunkTrust
To prevent a search from running until the user has made a selection, include an input token in that search.
---
If this reply helps you, an upvote would be appreciated.