Reporting

Using a Scheduled Saved Search as a base search in dashboard with post processing searches.

joydeep741
Path Finder

Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?

< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>

I tried <\ searchTemplate ref="report_name" > but did not work.

Tags (2)
0 Karma

grantjansen
Explorer

Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000

<form>
  <label>Post Process Saved Real-time Search</label>
  <description></description>
  <search id="BaseSearch" ref="RT_SavedSearch">
  </search>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="BaseSearch">
        <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="BaseSearch">
        <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

intelsubham
Explorer

Suppose your scheduled Report Name is "Report1"

First refer it under search separately:

<search id="MainSearch" ref="Report1">
      <query></query>
 </search>

Then in visualizations,

 <chart>
      <title>Events over Time</title>
      <search base="MainSearch">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

<table>
  <title>Top Sourcetypes</title>
  <search base="MainSearch">
      <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
  </search>
  <option name="displayRowNumbers">true</option>
</table>

millarma
Path Finder

Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens

|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$

Here is what it looks like in XML Look up loadjob for more info.

<panel>
  <input type="text" token="UserName" searchWhenChanged="true">
    <label>UserName</label>
    <suffix>*</suffix>
    <default>*</default>
  </input>
  <table>
    <title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
    <search>
      <query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

gjanders
SplunkTrust
SplunkTrust

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

joydeep741
Path Finder

<search> <query> does not work in splunk v6.0.
Any suggestions for my version.

0 Karma

intelsubham
Explorer

well i am using ver. 6.2.1, and it works fine. (Simple XML)

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...