Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

1 saved search for 2 panels

0range
Communicator
‎08-27-2013 08:13 AM

Hi.
I have a dashboard with two panels (PC- and mobile site visits, for example, and they are divided by field src [src=mob vs. src=NULL]). I want to make ONE saved search that aggregates all needed data for both searches and then divide the data by the values of parameter "src" to show onto this panels.
How can I do this?

Reply

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 09:15 AM

I'm assuming you're using the simple XML format.

This format permits the use of a single search string driving multiple panels. This is done with the main body of the search being enclosed in a searchTemplate element. Any other panel which needs to modify this search can do so with a searchPostProcess element. This acts like a | <rest of search> phrase would be when executed in the search bar. A brief example follows:


<form>
<searchTemplate>index=site_visits</searchTemplate>
<fieldset>
<input type="time"/>
</fieldset>
<row>
<chart>
<title>Mobile visits over time</title>
<searchPostProcess>search src=mob | timechart count<searchPostProcess>
</chart>
<chart>
<title>PC visits over time</title>
<searchPostProcess>where isnull(src) | timechart count<searchPostProcess>
</chart>
</row>
</form>

Reply

wpreston
Motivator
‎08-27-2013 09:04 AM

You can do this using advanced XML. Basically set your dashboard up using a HiddenSavedSearch or some other search module, then set each of your panels to use a HiddenPostProcess to render each of your charts using the data from your HiddenSavedSearch. If you don't want to use Advanced XML, I'm not sure there is a way to do this. I'd recommend reading the Developing Advanced Views documentation to get started

If you can use Sideview Utils, you can use the PostProcess module instead of HiddenPostProcess. The Sideview PostProcess module has some extended (and possibly easier to use) functionality, so you may like it better. Nick (the author of Sideview Utils) wrote some very good documentation and introductions to Advanced XML in general and the PostProcess module in particular. Download Sideview Utils and look at its documentation if you can. More information here:

Differences between PostProcess and HiddenPostProcess

Sideview Utils website

0 Karma
Reply

wpreston
Motivator
‎08-27-2013 06:13 PM

That's good to know. I haven't looked at Simple XML in quite a while but it sounds much more robust now. Thanks for the info!

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 09:27 AM

Yes, it's possible to do this in Advanced XML, but many users find the syntax daunting. The capabilities of simple XML have increased significantly over the years, and now this kind of "one search, multiple panels" behavior is possible in simple XML as well.

That being said, advanced XML and Sideview offer a whole wealth of capabilities on their own.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...