Dashboards & Visualizations

XML help? Dashboard has 3 panels -- only one panel populates data. All searches work if conducted independently, however.

alanhowlett
New Member

I have created a new dashboard and configured the base search, but only one of the 3 panels (Web Server Error Summary) is populating the data. If I run the searches independently of the dashboard they work, but when loading the dashboard only one works.

Could you please take a look at the below XML and point me in the right direction.

Web Analytics Base Search

<query>sourcetype=access_* status=* action=view OR action=purchase</query>
<earliest>@y</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>


<panel>
  <title>Top Products</title>
  <table>
    <search base="baseSearch">
      <query> | top limit=5 productName | rename productName AS "Product" | rename count AS "Purchased"</query>
    </search>
  </table>
</panel>


<panel>
  <title>Unique Visitors</title>
  <table>
    <search base="baseSearch">
      <query> | dedup clientip | stats count | rename count as "Unique Visitors"</query>
    </search>
  </table>
</panel>


<panel>
  <title>Web Server Error Summary</title>
  <table>
    <search base="baseSearch">
      <query>search status>=400 | top limit=5 status by host | sort -count</query>
    </search>
  </table>
</panel>

Thanks

Al

0 Karma

alanhowlett
New Member

I also left in the search status>=400 | top limit=5 status by host | sort -count for the web server errors summary.
As I wanted to see the count of errors per host.

Again thanks Guys.

0 Karma

alanhowlett
New Member

Still didn't work.

I added in a before the tile for Unique Visitors.

Added "productId="" clientip="" status="*" | stats count as Total by host clientip productId status" to the base search.

And changed the Top Products search to
| stats sum(Total) as Purchased by productId
| sort - Purchased
| head 5
| rename productId AS "Product"

Then it worked.

0 Karma

niketn
Legend

@alanhowlett, please refer to my answer. This is the exact steps mentioned. Please accept the answer, if you are able to proceed!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

alanhowlett
New Member

Thanks guys.

niketnilay yours worked.

kamlesh_vaghela yours did the same as mine.

0 Karma

niketn
Legend

@alanhowlett, please accept my answer if it helped. I hope you are considering when to use Post Processing and when not to use the same as per best practices.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@alanhowlett, I think you have mistaken use case for Post Processing. Please go through Post Processing Best Practices to ensure that you apply it only for the appropriate use case and with optimized SPL in the base search: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

1) The final pipe of base search should ideally be a transforming command like stats.
2) Ideally base search should not have more than 500,000 events or else they will get silently dropped.
3) Since you are trying to perform a query from Year to date, you should pick Summarized data (summary index) for such dashboard to minimize number of events.
4) If none of the approach help you build the entire dashboard out of single base search, you are better off running separate independent search, which might actually perform better.

Please try out the following example instead (based on Splunk Tutorial Data). As you can see that the final query in the base search is performing a count on all required fields to reduce the number of results in the base search.

PS: I could find productId and not productName in the tutorial data, hence the following sample code is using productId.

<dashboard>
  <label>Post Processing Example</label>
  <search id="baseSearch">
    <query>index=main sourcetype=access_* status=* action=view OR action=purchase productId="*" clientip="*" status="*"
| stats count as Total by host clientip productId status</query>
    <earliest>@y</earliest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <title>Unique Visitors</title>
      <single>
        <search base="baseSearch">
          <query> | stats dc(clientip) as "Unique Visitors"</query>
        </search>
      </single>
    </panel>
    <panel>
      <title>Web Server Error Summary</title>
      <chart>
        <search base="baseSearch">
          <query>| stats count(eval(status>=400)) as Errors by host
  | sort - Errors       
  | head 5 </query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Top Products</title>
      <chart>
        <search base="baseSearch">
          <query> | stats sum(Total) as Purchased by productId 
  | sort - Purchased
  | head 5
  | rename productId AS "Product" </query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @ alanhowlett,

Can you please try this ?

<form>
   <label>My test Dashboard</label>
   <search id="baseSearch">
     <query>sourcetype=access_* status=* action=view OR action=purchase </query>
 <earliest>@y</earliest>
 <latest>now</latest>
 <sampleRatio>1</sampleRatio>
   </search>
   <row>
   <title>Top Products</title>
   <table>
     <search base="baseSearch">
       <query>top limit=5 productName | rename productName AS "Product" | rename count AS "Purchased"</query>
     </search>
   </table>
 </panel>


 <panel>
   <title>Unique Visitors</title>
   <table>
     <search base="baseSearch">
       <query>dedup clientip | stats count | rename count as "Unique Visitors"</query>
     </search>
   </table>
 </panel>


 <panel>
   <title>Web Server Error Summary</title>
   <table>
     <search base="baseSearch">
       <query>search status>=400 | top limit=5 status by host | sort -count</query>
     </search>
   </table>
 </panel>
   </row>
 </form>

Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...