- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- pipe automatically added to search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I am using a DataModel on lot of the Dahsboards that I have, so, the searchs created behind are using < |pivot ... >
In order to optimize the Dashboard I thought of using a base search that will use the first and common part of the pivot search and then on each panel call this base search and add a SPLITCOL part so soemthing like this :
<search id="basic_search">
<query> | pivot shopping_reshaping Test FILTER field1 is "value1" count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1
</query>
</search>
<search base="basic_search">
<query> SPLITCOL Type</query>
</search>
The problem with that is that when I get back to the UI mode of the dashboard I notice the the search isnt working because there is a | that is added between the basic_search and the other query so it is something like that :
|pivot shopping_reshaping Test FILTER field1 is "value1" count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | SPLITCOL Type
What I want is :
|pivot shopping_reshaping Test FILTER field1 is "value1" count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 SPLITCOL Type
Can someone help me ?
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.
You can achieve this by including default token initialization, add any where outside row elements,
<init>
<set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1" count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>
Now use it in your panel queries,
<row>
<panel>
<table>
<search>
<query>$base_search$ SPLITCOL Type</query>
<earliest></earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
accept the answer if it helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.
You can achieve this by including default token initialization, add any where outside row elements,
<init>
<set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1" count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>
Now use it in your panel queries,
<row>
<panel>
<table>
<search>
<query>$base_search$ SPLITCOL Type</query>
<earliest></earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
accept the answer if it helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try this, thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The base search is executed first, then the queries of the various panels are performed to post-process the results of the base search within each panel. So you base search needs to work on its own and a panel's query can only add additional commands to post-process the results of the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the base search works fine on its own if only the panel's query can be added to it without adding that pipe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But that panel's query you have is not a separate search command that post-processes the results of the base search. It is not like the base search string is glued together with the panel query string and then executed as 1 search. The base search is executed separately and the results passed to into each panel query. So a panel query must consist of post-processing commands.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
