I have created a new dashboard and configured the base search, but only one of the 3 panels (Web Server Error Summary) is populating the data. If I run the searches independently of the dashboard they work, but when loading the dashboard only one works.
Could you please take a look at the below XML and point me in the right direction.
Web Analytics Base Search
<query>sourcetype=access_* status=* action=view OR action=purchase</query>
<earliest>@y</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<panel>
<title>Top Products</title>
<table>
<search base="baseSearch">
<query> | top limit=5 productName | rename productName AS "Product" | rename count AS "Purchased"</query>
</search>
</table>
</panel>
<panel>
<title>Unique Visitors</title>
<table>
<search base="baseSearch">
<query> | dedup clientip | stats count | rename count as "Unique Visitors"</query>
</search>
</table>
</panel>
<panel>
<title>Web Server Error Summary</title>
<table>
<search base="baseSearch">
<query>search status>=400 | top limit=5 status by host | sort -count</query>
</search>
</table>
</panel>
Thanks
Al
I also left in the search status>=400 | top limit=5 status by host | sort -count for the web server errors summary.
As I wanted to see the count of errors per host.
Again thanks Guys.
Still didn't work.
I added in a before the tile for Unique Visitors.
Added "productId="" clientip="" status="*" | stats count as Total by host clientip productId status" to the base search.
And changed the Top Products search to
| stats sum(Total) as Purchased by productId
| sort - Purchased
| head 5
| rename productId AS "Product"
Then it worked.
@alanhowlett, please refer to my answer. This is the exact steps mentioned. Please accept the answer, if you are able to proceed!
Thanks guys.
niketnilay yours worked.
kamlesh_vaghela yours did the same as mine.
@alanhowlett, please accept my answer if it helped. I hope you are considering when to use Post Processing and when not to use the same as per best practices.
@alanhowlett, I think you have mistaken use case for Post Processing. Please go through Post Processing Best Practices
to ensure that you apply it only for the appropriate use case and with optimized SPL in the base search: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices
1) The final pipe of base search should ideally be a transforming command like stats
.
2) Ideally base search should not have more than 500,000 events or else they will get silently dropped.
3) Since you are trying to perform a query from Year to date, you should pick Summarized data (summary index) for such dashboard to minimize number of events.
4) If none of the approach help you build the entire dashboard out of single base search, you are better off running separate independent search, which might actually perform better.
Please try out the following example instead (based on Splunk Tutorial Data). As you can see that the final query in the base search is performing a count on all required fields to reduce the number of results in the base search.
PS: I could find productId and not productName in the tutorial data, hence the following sample code is using productId
.
<dashboard>
<label>Post Processing Example</label>
<search id="baseSearch">
<query>index=main sourcetype=access_* status=* action=view OR action=purchase productId="*" clientip="*" status="*"
| stats count as Total by host clientip productId status</query>
<earliest>@y</earliest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<panel>
<title>Unique Visitors</title>
<single>
<search base="baseSearch">
<query> | stats dc(clientip) as "Unique Visitors"</query>
</search>
</single>
</panel>
<panel>
<title>Web Server Error Summary</title>
<chart>
<search base="baseSearch">
<query>| stats count(eval(status>=400)) as Errors by host
| sort - Errors
| head 5 </query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Top Products</title>
<chart>
<search base="baseSearch">
<query> | stats sum(Total) as Purchased by productId
| sort - Purchased
| head 5
| rename productId AS "Product" </query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</dashboard>
Hi @ alanhowlett,
Can you please try this ?
<form>
<label>My test Dashboard</label>
<search id="baseSearch">
<query>sourcetype=access_* status=* action=view OR action=purchase </query>
<earliest>@y</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<title>Top Products</title>
<table>
<search base="baseSearch">
<query>top limit=5 productName | rename productName AS "Product" | rename count AS "Purchased"</query>
</search>
</table>
</panel>
<panel>
<title>Unique Visitors</title>
<table>
<search base="baseSearch">
<query>dedup clientip | stats count | rename count as "Unique Visitors"</query>
</search>
</table>
</panel>
<panel>
<title>Web Server Error Summary</title>
<table>
<search base="baseSearch">
<query>search status>=400 | top limit=5 status by host | sort -count</query>
</search>
</table>
</panel>
</row>
</form>
Thanks