Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run a postprocess search to load a table taking values from a static pulldown?

harshal_chakran
Builder
‎07-07-2015 02:13 AM

Hi,

I am trying to achieve the below format in advanced xml
--MainSearch
---Pulldown with static options
----Postprocess search to load a table taking values from pulldown

When I do this, the postprocess search is not running.
Can anybody please help me with the sample code or the correct format to use?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2015 06:40 AM

I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, saytokenx, and have mis-spelled it somewhere (e.g. Tokenx, tokenX or even toknex) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-07-2015 05:19 AM

Advanced XML is deprecated. Use Simple XML or HTML Dashboards. Here are some bits of code that will help, you will need to add other tags to get it to work correctly.

Here is the dropdown.

 <input type="dropdown" token="host">
  <label>Host</label>
  <search>
    <query>index=_internal |head 20 | stats count by host</query>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
</input>

This is the base search that uses the dropdown.

<search id="base_stats">
<query>index=_internal host=$host$ | head 10</query>
</search>

Here is the table xml that is used to do the postprocess and the table visualization.

<table>
    <title>Sourcetypes</title>
    <search base="base_stats">
      <query>stats count by sourcetype</query>
    </search>
  </table>
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...