Reporting

pipe automatically added to search

helmekkaoui
New Member

Hello Splunkers,

I am using a DataModel on lot of the Dahsboards that I have, so, the searchs created behind are using < |pivot ... >
In order to optimize the Dashboard I thought of using a base search that will use the first and common part of the pivot search and then on each panel call this base search and add a SPLITCOL part so soemthing like this :

<search id="basic_search">
    <query> | pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 
    </query>  
</search>

<search base="basic_search">
          <query> SPLITCOL Type</query>
</search>

The problem with that is that when I get back to the UI mode of the dashboard I notice the the search isnt working because there is a | that is added between the basic_search and the other query so it is something like that :

 |pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | SPLITCOL Type

What I want is :

 |pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 SPLITCOL Type

Can someone help me ?

Many thanks

0 Karma
1 Solution

gaurav_maniar
Builder

Hi,

The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.

You can achieve this by including default token initialization, add any where outside row elements,

<init>
    <set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>

Now use it in your panel queries,

<row>
    <panel>
        <table>
            <search>
                <query>$base_search$ SPLITCOL Type</query>
                <earliest></earliest>
                <latest></latest>
            </search>
        </table>
    </panel>
</row>

accept the answer if it helps.

View solution in original post

0 Karma

gaurav_maniar
Builder

Hi,

The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.

You can achieve this by including default token initialization, add any where outside row elements,

<init>
    <set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>

Now use it in your panel queries,

<row>
    <panel>
        <table>
            <search>
                <query>$base_search$ SPLITCOL Type</query>
                <earliest></earliest>
                <latest></latest>
            </search>
        </table>
    </panel>
</row>

accept the answer if it helps.

0 Karma

helmekkaoui
New Member

I will try this, thank you !

0 Karma

FrankVl
Ultra Champion

The base search is executed first, then the queries of the various panels are performed to post-process the results of the base search within each panel. So you base search needs to work on its own and a panel's query can only add additional commands to post-process the results of the base search.

0 Karma

helmekkaoui
New Member

the base search works fine on its own if only the panel's query can be added to it without adding that pipe

0 Karma

FrankVl
Ultra Champion

But that panel's query you have is not a separate search command that post-processes the results of the base search. It is not like the base search string is glued together with the panel query string and then executed as 1 search. The base search is executed separately and the results passed to into each panel query. So a panel query must consist of post-processing commands.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...