Reporting

Using a Scheduled Saved Search as a base search in dashboard with post processing searches.

joydeep741
Path Finder

Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?

< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>

I tried <\ searchTemplate ref="report_name" > but did not work.

Tags (2)
0 Karma

grantjansen
Explorer

Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000

<form>
  <label>Post Process Saved Real-time Search</label>
  <description></description>
  <search id="BaseSearch" ref="RT_SavedSearch">
  </search>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="BaseSearch">
        <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="BaseSearch">
        <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

intelsubham
Explorer

Suppose your scheduled Report Name is "Report1"

First refer it under search separately:

<search id="MainSearch" ref="Report1">
      <query></query>
 </search>

Then in visualizations,

 <chart>
      <title>Events over Time</title>
      <search base="MainSearch">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

<table>
  <title>Top Sourcetypes</title>
  <search base="MainSearch">
      <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
  </search>
  <option name="displayRowNumbers">true</option>
</table>

millarma
Path Finder

Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens

|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$

Here is what it looks like in XML Look up loadjob for more info.

<panel>
  <input type="text" token="UserName" searchWhenChanged="true">
    <label>UserName</label>
    <suffix>*</suffix>
    <default>*</default>
  </input>
  <table>
    <title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
    <search>
      <query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

gjanders
SplunkTrust
SplunkTrust

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

joydeep741
Path Finder

<search> <query> does not work in splunk v6.0.
Any suggestions for my version.

0 Karma

intelsubham
Explorer

well i am using ver. 6.2.1, and it works fine. (Simple XML)

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...