Splunk Search

Can I have multiple panels using the same inline search result?

Builder

Hi

I have five panels in a dashboard and three of those five panels are using the same inline search results. Is there a way to make Splunk to run one inline search and use its result to build multiple panels?

1 Solution

Champion

You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says

"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."

Here's what you need to do in XML:

<dashboard>
    <search id="base">
        <!-- The base query as you have it in the search tag of your visualization -->
        <query>index = foo</query>
            <earliest>-8h@h</earliest>
            <latest>now</latest>
        </search>
    <row>
        <panel>
            <chart>
                <search base="base">
                    <!-- Any postprocessing goes here, we don't have any so this is empty -->
                </search>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <!-- ...And all the other stuff you want to do. -->
            </chart>
            <chart>
                <search base="base">
                </search>
                <!-- You get the idea. -->
            </chart>
        </panel>
    </row>
</dashboard>

As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.

View solution in original post

Champion

You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says

"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."

Here's what you need to do in XML:

<dashboard>
    <search id="base">
        <!-- The base query as you have it in the search tag of your visualization -->
        <query>index = foo</query>
            <earliest>-8h@h</earliest>
            <latest>now</latest>
        </search>
    <row>
        <panel>
            <chart>
                <search base="base">
                    <!-- Any postprocessing goes here, we don't have any so this is empty -->
                </search>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <!-- ...And all the other stuff you want to do. -->
            </chart>
            <chart>
                <search base="base">
                </search>
                <!-- You get the idea. -->
            </chart>
        </panel>
    </row>
</dashboard>

As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.

View solution in original post

Builder

Thanks for you answer!

0 Karma

Communicator
0 Karma

Ok edrivera3,this is an other way to solve the problem.

1-DO AN INLINE SEARCH GLOBALLY WITHOUT TOKEN (base search).From this can derive many postprocess searches(many panels).

2- DO THE POSTPROCESS AN FILTER THE RESULT OF THAT BASE SEARCH(it can be a savedsearch)

3-the postprocess search is pipe at the end like this for exemple:
..........|search $host$

see this

docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/PostProcess

0 Karma

Hi to use savedsearch with you token,try in the searchString tag,do this:

|savedsearch report_name ....... l..........|..

you can put you token any where like in a normal query.

It may be necessary to put the token in quote like this for exemple: status="$status$"

NOTE: IF YOU ARE USING splunk 6.2.... MAKE SURE YOU ENCLOSE THE QUERY BY

query..../query

instead of

searchString.......searchString

0 Karma

Motivator

Yes of course! You can call your saved search in each panel.
Here is an example on how you can call your saved search. just do the same thing on each panel.

<dashboard>
  <label>Inline Search</label>
  <description>Table, Chart and Event panels powered by inline searches.</description>

  <row>
   <panel>
    <table>
      <title>Report Table</title>
      <search ref="reporting_search_table"/>
      <option name="count">5</option>
    </table>
    <chart>
      <title>Report Chart</title>
      <search ref="reporting_search_timechart"/>
      <option name="charting.chart">area</option>
    </chart>
     </panel>
  </row>

  <row>
    <panel>
    <event>
      <title>Report Event</title>
      <search ref="nonreporting_search"/>
      <option name="count">5</option>
    </event>
    </panel>
  </row>
</dashboard>
0 Karma

Builder

Are you referring to report when you say saved search? If so I haven't found a way to use report while keeping my tokens for text input.

0 Karma

Motivator

ok. So you are using a selection menu! There is a way to do it. Insert Tokens in your search query before save it as a Report. It will work.

0 Karma

Builder

No. That doesn't work. If I insert the token before save it no result will show in the dashboard. This my search query and it would not produce results either in search app or dashboard because there is no errornumber = $ errornumber$.

index="jobevent" errornumber=$ errornumber$ | stats values(testnumber) as testnumber by airplanenumber

The only way I could make this work is by doing an inline search in the dashboard.

0 Karma

Builder

I tried adding quotation marks before the dollar signs in the token or adding an extra dollar sign but nothing works.

0 Karma