Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run a postprocess search to load a table taking values from a static pulldown?

harshal_chakran
Builder
‎07-07-2015 02:13 AM

Hi,

I am trying to achieve the below format in advanced xml
--MainSearch
---Pulldown with static options
----Postprocess search to load a table taking values from pulldown

When I do this, the postprocess search is not running.
Can anybody please help me with the sample code or the correct format to use?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2015 06:40 AM

I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, saytokenx, and have mis-spelled it somewhere (e.g. Tokenx, tokenX or even toknex) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-07-2015 05:19 AM

Advanced XML is deprecated. Use Simple XML or HTML Dashboards. Here are some bits of code that will help, you will need to add other tags to get it to work correctly.

Here is the dropdown.

 <input type="dropdown" token="host">
  <label>Host</label>
  <search>
    <query>index=_internal |head 20 | stats count by host</query>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
</input>

This is the base search that uses the dropdown.

<search id="base_stats">
<query>index=_internal host=$host$ | head 10</query>
</search>

Here is the table xml that is used to do the postprocess and the table visualization.

<table>
    <title>Sourcetypes</title>
    <search base="base_stats">
      <query>stats count by sourcetype</query>
    </search>
  </table>
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...