Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

1 saved search for 2 panels

0range
Communicator
‎08-27-2013 08:13 AM

Hi.
I have a dashboard with two panels (PC- and mobile site visits, for example, and they are divided by field src [src=mob vs. src=NULL]). I want to make ONE saved search that aggregates all needed data for both searches and then divide the data by the values of parameter "src" to show onto this panels.
How can I do this?

Reply

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 09:15 AM

I'm assuming you're using the simple XML format.

This format permits the use of a single search string driving multiple panels. This is done with the main body of the search being enclosed in a searchTemplate element. Any other panel which needs to modify this search can do so with a searchPostProcess element. This acts like a | <rest of search> phrase would be when executed in the search bar. A brief example follows:


<form>
<searchTemplate>index=site_visits</searchTemplate>
<fieldset>
<input type="time"/>
</fieldset>
<row>
<chart>
<title>Mobile visits over time</title>
<searchPostProcess>search src=mob | timechart count<searchPostProcess>
</chart>
<chart>
<title>PC visits over time</title>
<searchPostProcess>where isnull(src) | timechart count<searchPostProcess>
</chart>
</row>
</form>

Reply

wpreston
Motivator
‎08-27-2013 09:04 AM

You can do this using advanced XML. Basically set your dashboard up using a HiddenSavedSearch or some other search module, then set each of your panels to use a HiddenPostProcess to render each of your charts using the data from your HiddenSavedSearch. If you don't want to use Advanced XML, I'm not sure there is a way to do this. I'd recommend reading the Developing Advanced Views documentation to get started

If you can use Sideview Utils, you can use the PostProcess module instead of HiddenPostProcess. The Sideview PostProcess module has some extended (and possibly easier to use) functionality, so you may like it better. Nick (the author of Sideview Utils) wrote some very good documentation and introductions to Advanced XML in general and the PostProcess module in particular. Download Sideview Utils and look at its documentation if you can. More information here:

Differences between PostProcess and HiddenPostProcess

Sideview Utils website

0 Karma
Reply

wpreston
Motivator
‎08-27-2013 06:13 PM

That's good to know. I haven't looked at Simple XML in quite a while but it sounds much more robust now. Thanks for the info!

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 09:27 AM

Yes, it's possible to do this in Advanced XML, but many users find the syntax daunting. The capabilities of simple XML have increased significantly over the years, and now this kind of "one search, multiple panels" behavior is possible in simple XML as well.

That being said, advanced XML and Sideview offer a whole wealth of capabilities on their own.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...