Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I my get one search to populate multiple panels in a dashboard?

adepasquale
Path Finder
‎06-03-2016 07:00 AM

So I saw the documentation for global searches, but for the life of me, I can't get it to work.

As you can see, each panel has | pivot Apache_Logs access_geo_asn count(access_geo_asn) AS "Count of access_geo_asn" and they vary by "splitrow" and some other fields.

What I tried to do was create a global search of just | pivot Apache_Logs access_geo_asn count(access_geo_asn) AS "Count of access_geo_asn" and then added the "SPLITROW" for each panel, but I get errors like "splitrow is an invalid command"

<row>
    <panel>
      <table>
        <title>Top 100 URI Paths</title>
        <search>
          <query>| pivot Apache_Logs access_geo_asn count(access_geo_asn) AS "Count of access_geo_asn" SPLITROW uri_path AS uri_path FILTER clientip is "$src_ip$" TOP 100 count(access_geo_asn) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1</query>
          <earliest>$src_time.earliest$</earliest>
          <latest>$src_time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top 100 URI Paths (categorized)</title>
        <search>
          <query>| pivot Apache_Logs access_geo_asn count(access_geo_asn) AS "Count of access_geo_asn" SPLITROW uri_path_main AS uri_path_main FILTER clientip is "$src_ip$" TOP 100 count(access_geo_asn) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1</query>
          <earliest>$src_time.earliest$</earliest>
          <latest>$src_time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>ISP &amp; Browser Information (Double Check with TCPIPUTILS)</title>
        <search>
          <query>| pivot Apache_Logs access_geo_asn values(clientip_Country) AS "Country" values(host) AS "hosts" values(useragent) AS "Useragent" SPLITROW netRange AS netRange SPLITROW ASName AS ASName FILTER clientip is "$src_ip$" TOP 100 count(access_geo_asn) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1</query>
          <earliest>$src_time.earliest$</earliest>
          <latest>$src_time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
0 Karma
Reply

rjthibod
Champion
‎10-05-2016 04:50 AM

In general, using pivot or tstats for this kind of global search is only possible for your first two searches. The third search is calculating different metrics across different fields (your SPLITROW items), so it is going to be harder to combine the third search items with the first two. Here is my take at combining the first two into a global search and two post-processing searches.

<search id="base_pivot_search">
  <query>
    | pivot Apache_Logs access_geo_asn count(access_geo_asn) AS "Count of access_geo_asn" SPLITROW uri_path AS uri_path SPLITROW uri_path_main AS uri_path_main FILTER clientip is "$src_ip$"
  </query>
  <earliest>$src_time.earliest$</earliest>
  <latest>$src_time.latest$</latest>
</search>
<row>
  <panel>
    <table>
      <title>Top 100 URI Paths</title>
      <search base="base_pivot_search">
        <query>
          stats sum(count) as count by uri_path | sort 100 -count
        </query>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </panel>
  <panel>
    <table>
      <title>Top 100 URI Paths (categorized)</title>
      <search base="base_pivot_search">
        <query>
          stats sum(count) as count by uri_path_main | sort 100 -count
        </query>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </panel>
  <panel>
    <table>
      <title>ISP &amp; Browser Information (Double Check with TCPIPUTILS)</title>
      <search>
        <query>| pivot Apache_Logs access_geo_asn values(clientip_Country) AS "Country" values(host) AS "hosts" values(useragent) AS "Useragent" SPLITROW netRange AS netRange SPLITROW ASName AS ASName FILTER clientip is "$src_ip$" TOP 100 count(access_geo_asn) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1</query>
        <earliest>$src_time.earliest$</earliest>
        <latest>$src_time.latest$</latest>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </panel>
</row>
0 Karma
Reply

somesoni2
Revered Legend
‎06-03-2016 07:08 AM

The global search, also known as base search, should a full query in itself and the subsequent post-process searches should be a valid full portion of the query that can be applied on the resultset of the base search. The pivot and splitrow are part of the same search construct and can't be split into base and post-process search.

0 Karma
Reply

adepasquale
Path Finder
‎06-03-2016 07:10 AM

So this cannot be done using a data model?

0 Karma
Reply

somesoni2
Revered Legend
‎06-03-2016 07:14 AM

For creating a base search, you would need to modify your query so that it get (even though extra) results required for each post-process search and the post-process search will just filter their required results. It can be done with data model as well, but query will have to be modified. Could you explain what each panel is showing?

0 Karma
Reply

adepasquale
Path Finder
‎06-03-2016 08:54 AM

Top URI's
Top Top level directories
ISP & Browser information (lookup table and useragent field)

The data model includes ALL of the information needed for every panel. I just want to show different information.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...