Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?
< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>
I tried <\ searchTemplate ref="report_name" > but did not work.
Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000
<form>
<label>Post Process Saved Real-time Search</label>
<description></description>
<search id="BaseSearch" ref="RT_SavedSearch">
</search>
<row>
<chart>
<title>Events over Time(First)</title>
<search base="BaseSearch">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes(First)</title>
<search base="BaseSearch">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
</form>
Suppose your scheduled Report Name is "Report1"
First refer it under search separately:
<search id="MainSearch" ref="Report1">
<query></query>
</search>
Then in visualizations,
<chart>
<title>Events over Time</title>
<search base="MainSearch">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes</title>
<search base="MainSearch">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens
|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$
Here is what it looks like in XML Look up loadjob for more info.
<panel>
<input type="text" token="UserName" searchWhenChanged="true">
<label>UserName</label>
<suffix>*</suffix>
<default>*</default>
</input>
<table>
<title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
<search>
<query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query>
from the <search id="MainSearch" ref="Report1">
for the above example to work...
<search> <query> does not work in splunk v6.0.
Any suggestions for my version.
well i am using ver. 6.2.1, and it works fine. (Simple XML)