Splunk Search

How to view dashboard subsearches using HiddenSearch?

pravusnex
Explorer

Hi,

I am creating a custom view dashboard. In that I'm trying to utilize the same search to extract a single value and then modify that search slightly to put the rest of the results in a column chart. I would think that this would be fairly easy, but I'm missing something. I could just have two separate searches but that would be an inefficient use of resources.

In the example below I try to create a child "HiddenSearch". I don't get any errors, but all I see in the view is "No Result Data"

Any help would be appreciated.

<view template="dashboard.html">
   <label>myapp Ideitity Verification</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" group="Success Rate" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="GenericHeader">
         <param name="label">Succcess Rate</param>

         <module name="HiddenSearch" autoRun="True">
            <param name="search">sourcetype="myapp_app_audit" End | stats count(eval((operation="ResetPIN" AND ref_step="Resolve" AND step="CheckAnswer") OR (operation="SetACI" AND ref_step="Resolve" AND (step="NeedNewCID" OR step="ForgotCID")) OR (operation="CreatePIN" AND ref_step="Resolve" AND match(step,"Register*")) OR (operation="ChangePIN" AND step="Change" AND ref_step="Resolve"))) AS Succeeded, count(eval(ref_step="InitNoAuth" AND step="Resolve")) AS Attempted | eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

            <module name="SingleValue">
               <param name="beforeLabel">Success Rate</param>

               <param name="format">percent</param>

               <param name="field">SuccessRate</param>
            </module>

            <module name="HiddenSearch" autoRun="True">
               <param name="search">|fields Attempted Failed Succeeded|untable "status" "status" "count"</param>

               <module name="HiddenChartFormatter">
                  <param name="chart">column</param>

                  <param name="primaryAxisTitle.text">Accumulated Totals</param>

                  <param name="secondaryAxisTitle.text">Transaction Count</param>

                  <param name="legend.placement">none</param>

                  <module name="JobProgressIndicator" />

                  <module name="FlashChart">
                     <param name="width">100%</param>

                     <param name="height">200px</param>
                  </module>

                  <module name="SimpleResultsTable" />
               </module>
            </module>
         </module>
      </module>
   </module>
</view>
Labels (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

View solution in original post

pravusnex
Explorer

I'm leaving the full code for what I am trying to do now that I know "HiddenPostProcess" exists. The |untable command seems to not work.

<view template="dashboard.html">
   <label>Test Area</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="HiddenSearch" autoRun="True">
         <param name="search">(sourcetype="corps_app_error" NOT monitoring:W_ResponseTimeThresholdExceeded NOT common:F_RMDC_MissingRequiredValue NOT "Relationship * not supported") OR (sourcetype="corps_app_audit" End step="Resolve") | transaction ReqId | stats count(ReqId) AS Attempted, count(eval(NOT sourcetype="corps_app_error")) AS Succeeded |eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

         <module name="SingleValue">
            <param name="beforeLabel">Success Rate</param>

            <param name="format">percent</param>

            <param name="field">SuccessRate</param>
         </module>

         <module name="HiddenPostProcess">
            <param name="search">|fields Attempted Failed Succeeded |untable "status" "status" "count"</param>

            <module name="HiddenChartFormatter">
               <param name="chart">column</param>

               <param name="primaryAxisTitle.text">Identify User</param>

               <param name="secondaryAxisTitle.text">Transaction Count</param>

               <param name="legend.placement">None</param>

               <module name="JobProgressIndicator" />

               <module name="FlashChart">
                  <param name="width">100%</param>

                  <param name="height">200px</param>
               </module>

               <module name="SimpleResultsTable" />
            </module>
         </module>
      </module>
   </module>
</view>
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

pravusnex
Explorer

Actually I kind of get what you are saying. I can make the chart if I use "Units" but how do I make the chart use that as my x-axis. It certainly isn't doing it in any way I can figure out.

0 Karma

pravusnex
Explorer

Well, my table got messed up in comment formatting. It's basically a table with headers status & count. Then row 1, 2, 3.

0 Karma

pravusnex
Explorer

I don't think that's right for what I am trying to do. My chart is a summation, not a chart over time. I have only been able to produce the chart I want by getting it in the following format.

status      count

1 Attempted 658
2 Failed 122
3 Succeeded 536

So, I'm still a little stuck in that area. When I run this from the search app it works great and the chart is exactly what I want. When I do it in the "view" it gets messed up.

0 Karma

pravusnex
Explorer

Thank you for that. I see that documentation. It is only partially working for me though. The initial search works and then it appears that the HiddenPostProcess kind of works, but it seems to stumble. I'm trying to turn this into a column chart and the use of the |untable command doesn't reorient the table like it does in the search bar.

Any suggestions for a different way to produce the same table is certainly welcome.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oh, that's interesting...it's not in the online docs. I'll file a bug on that. In general, you can see docs for the modules in your own Splunk instance by going to http://localhost:8000/modules though.

0 Karma

pravusnex
Explorer

Where is this documented?

0 Karma

uf100272
Loves-to-Learn Lots

addtotals

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...