Reporting

Using a Scheduled Saved Search as a base search in dashboard with post processing searches.

joydeep741
Path Finder

Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?

< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>

I tried <\ searchTemplate ref="report_name" > but did not work.

Tags (2)
0 Karma

grantjansen
Explorer

Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000

<form>
  <label>Post Process Saved Real-time Search</label>
  <description></description>
  <search id="BaseSearch" ref="RT_SavedSearch">
  </search>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="BaseSearch">
        <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="BaseSearch">
        <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

intelsubham
Explorer

Suppose your scheduled Report Name is "Report1"

First refer it under search separately:

<search id="MainSearch" ref="Report1">
      <query></query>
 </search>

Then in visualizations,

 <chart>
      <title>Events over Time</title>
      <search base="MainSearch">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

<table>
  <title>Top Sourcetypes</title>
  <search base="MainSearch">
      <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
  </search>
  <option name="displayRowNumbers">true</option>
</table>

millarma
Path Finder

Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens

|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$

Here is what it looks like in XML Look up loadjob for more info.

<panel>
  <input type="text" token="UserName" searchWhenChanged="true">
    <label>UserName</label>
    <suffix>*</suffix>
    <default>*</default>
  </input>
  <table>
    <title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
    <search>
      <query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

gjanders
SplunkTrust
SplunkTrust

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

joydeep741
Path Finder

<search> <query> does not work in splunk v6.0.
Any suggestions for my version.

0 Karma

intelsubham
Explorer

well i am using ver. 6.2.1, and it works fine. (Simple XML)

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...