Splunk Search
Highlighted

How to run a postprocess search to load a table taking values from a static pulldown?

Hi,

I am trying to achieve the below format in advanced xml
--MainSearch
---Pulldown with static options
----Postprocess search to load a table taking values from pulldown

When I do this, the postprocess search is not running.
Can anybody please help me with the sample code or the correct format to use?

0 Karma
Highlighted

Re: How to run a postprocess search to load a table taking values from a static pulldown?

SplunkTrust
SplunkTrust

Advanced XML is deprecated. Use Simple XML or HTML Dashboards. Here are some bits of code that will help, you will need to add other tags to get it to work correctly.

Here is the dropdown.

 <input type="dropdown" token="host">
  <label>Host</label>
  <search>
    <query>index=_internal |head 20 | stats count by host</query>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
</input>

This is the base search that uses the dropdown.

<search id="base_stats">
<query>index=_internal host=$host$ | head 10</query>
</search>

Here is the table xml that is used to do the postprocess and the table visualization.

<table>
    <title>Sourcetypes</title>
    <search base="base_stats">
      <query>stats count by sourcetype</query>
    </search>
  </table>
0 Karma
Highlighted

Re: How to run a postprocess search to load a table taking values from a static pulldown?

Esteemed Legend

I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, saytokenx, and have mis-spelled it somewhere (e.g. Tokenx, tokenX or even toknex) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.

0 Karma