Dashboards & Visualizations

Using searchPostProcess with input tokens

Path Finder

I need to drive 2 different searches from a form input.
It's a very basic dashboard where I need a configurable timechart (where span and aggregation are chosen from input boxes)

However, I need to also display a total count single value

Using the info on the documentation I tried to use FormSearchPostProcess but it won't accept input tokens:

<searchPostProcess>stats count</searchPostProcess> <--- OK

<searchPostProcess>timechart count span=$span$ $aggr$</searchPostProcess> <--- ERROR

I can solve the problem doing 2 parallel searches (repeating searchTemplate twice) but it's not so optimal, although all this data is coming from Summary Indexes (and the queries are very fast)

To do this, must I use AdvancedXML ?

1 Solution

Explorer

You can use multiple searchTemplate tags throughout your form. No need for PostProcess. I had this same issue, removed my searchtemplate that had the beginning of my search and just changed the searchPostProcess tags with searchTemplate. and wa-la

View solution in original post

Path Finder

Can you do the timechart in your original search template and then only post process for the stats? Something like this:

<searchTemplate>your search | timechart count span=$span$ $aggr$</searchTemplate>

<searchPostProcess>stats count</searchPostProcess>

Or is it that you only want to aggregate on the timechart, but not the stats chart? What kind of values are you using for $aggr$?

Alternately, the problem might be that the field being used for $aggr$ is not present in your postprocess. So perhaps adding all the possible fields from your dropdown to the search template will help. Something like this:

<searchTempate>your search | fields aggrfield1 aggrfield2 ...</searchTemplate>

0 Karma

SplunkTrust
SplunkTrust

Note that your postprocess there will simply count the number of timebuckets coming out of the timechart, not the number of actual events being counted in the timechart. read the postprocess documentation in Sideview Utils ("Key Techniques > Using PostProcess > Introduction" to get a good overview and an illustration of various pitfalls involved.

0 Karma

Explorer

You can use multiple searchTemplate tags throughout your form. No need for PostProcess. I had this same issue, removed my searchtemplate that had the beginning of my search and just changed the searchPostProcess tags with searchTemplate. and wa-la

View solution in original post

SplunkTrust
SplunkTrust

In the core Splunk UI, the HiddenPostProcess module is not capable of doing dynamic token replacement (aka $foo$ replacement) at all. Even if you switch to advanced XML, you'll still have to run two searches to get what you need.

However you might want to check out the Sideview Utils app on Splunkbase. Sideview Utils brings a number of new modules into the arsenal, and it also contains its own documentation about how to use these modules in your views. In particular, it packages a 'PostProcess' module that is intended to supercede the 'HiddenPostProcess' module. And 'PostProcess' accepts $foo$ tokens in it's 'search' param. In fact the vast majority of params across all of the Sideview Utils modules accept $foo$ tokens.

Builder

To my knowledge, the module "HiddenPostProcess" is only available in the advanced XML.

Here's the page about it in the docs: Post Process

What I want really stress, the post process module needs to have a search as a parent search that will construct the data needed for all of the following searches, not the actual events. In your case, your parent search would be best to have timechart count span=$span$ $aggr$ appended to it, and then do a simple | stats sum(count) as your post process.