Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem with reusing a base search with GoogleMaps

berndg
Engager
‎12-23-2010 03:44 PM

Hi,

i'm currently trying to "optimize" a dashboard by reusing a base search for different panels.

This is the dashboard I want to "optimize":

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
    <label>DriverDownloadDOS</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="navigationHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
    </module>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">splunk.search.job</param>
        <param name="clearOnJobDispatch">True</param>
        <param name="maxSize">1</param>
    </module>
    <module name="TitleBar" layoutPanel="viewHeader">
        <param name="actionsMenuFilter">dashboard</param>
    </module>

    <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Yesterday abnormal activities" autoRun="True">
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <param name="search">|savedsearch "Calculate downloads to file ratio by ip"|where ratio &lt; 0.005 AND cnt_downloads &gt; 500|sort +ratio</param>            
        <module name="JobProgressIndicator">            
            <module name="EnablePreview">
                <param name="enable">True</param>
                <param name="display">False</param>
                <module name="SimpleResultsTable">
                    <param name="count">25</param>                            
                </module>
            </module>                
        </module>
    </module>                        

    <module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Map View" autoRun="True">
        <param name="search">|savedsearch "Calculate downloads to file ratio by ip"|where ratio &lt; 0.005 AND cnt_downloads&gt;500|geonormalize|eval _geo_count=cnt_downloads|fields _geo_count,_lat,_lng</param>
        <param name="groupLabel">Map View</param>
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <module name="GoogleMaps">
            <param name="scrollwheel">off</param>
            <param name="autoPostProcess">false</param>
            <param name="height">400px</param>
            <param name="zoomLevel">2</param>
            <param name="scaleControl">on</param>
            <param name="mapType">hybrid</param>
            <param name="mapTypeControl">off</param>
            <param name="navigationControl">off</param>
        </module>
    </module>
</view>

This result in the correct map: http://www.freeimagehosting.net/uploads/2d01dd83f5.jpg

Here I want the same Output but reusing the base search:

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
    <label>DriverDownloadDOS</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="navigationHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="clearOnJobDispatch">False</param>
        <param name="maxSize">1</param>
    </module>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">splunk.search.job</param>
        <param name="clearOnJobDispatch">True</param>
        <param name="maxSize">1</param>
    </module>
    <module name="TitleBar" layoutPanel="viewHeader">
        <param name="actionsMenuFilter">dashboard</param>
    </module>

    <module name="HiddenSearch"  layoutPanel="panel_row1_col1" autoRun="True">
        <param name="earliest">-1d@d</param>
        <param name="latest">@d</param>
        <module name="HiddenSavedSearch" autoRun="True">
            <param name="savedSearch">Calculate downloads to file ratio by ip</param>    
            <module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="Yesterday abnormal activities" autoRun="True">
                <param name="search">where ratio &lt; 0.005 AND cnt_downloads &gt; 500|sort +ratio</param>            
                <module name="JobProgressIndicator">            
                    <module name="EnablePreview">
                        <param name="enable">True</param>
                        <param name="display">False</param>
                        <module name="SimpleResultsTable">
                            <param name="count">25</param>                            
                        </module>
                    </module>                
                </module>
            </module>                        
            <module name="HiddenPostProcess" layoutPanel="panel_row1_col2" group="Map View" autoRun="True">
                <param name="search">where ratio &lt; 0.005 AND cnt_downloads&gt;500|geonormalize|eval _geo_count=cnt_downloads|fields _geo_count,_lat,_lng</param>
                <param name="groupLabel">Map View</param>                
                <module name="GoogleMaps">
                    <param name="scrollwheel">off</param>
                    <param name="autoPostProcess">false</param>
                    <param name="height">400px</param>
                    <param name="zoomLevel">2</param>
                    <param name="scaleControl">on</param>
                    <param name="mapType">hybrid</param>
                    <param name="mapTypeControl">off</param>
                    <param name="navigationControl">off</param>
                </module>
            </module>
        </module>
    </module>
</view>

This result in this map visualisation: http://www.freeimagehosting.net/uploads/f543fc852e.jpg

I've no idea whats wrong. Is there a syntax failure or something like that in my dashboard? I'm an absolute newbie with the advanced dashboards. Until now I only used the simple XML-Style dashboards

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎12-29-2010 06:13 PM

You can learn a lot about how all this works by reading the 'UI Examples for 4.1' app.

Go to the 'launcher' app in your splunk instance and click 'browse other apps', scroll down a long while and then install the app called 'UI Examples for 4.1'. That app has about 60 example views that start you out with tiny hello world configurations and walk you up to more advanced techniques. The pacing is more than a little uneven and you may find it confusing but it is very rewarding to read through.

It is possible to do what you're trying to do. However there are some basic mistakes. You have a HiddenSavedSearch module downstream from HiddenSearch. HiddenSavedSearch will always obliterate the timeRange (because there is always a timerange saved with the saved search even if its the implicit range of 'all time').

Also you will have to read through the view in the UI Examples app called 'using postProcess on dashboards'. It will explain a few things that you will need to understand before using this technique. Notably the saved search you're trying to use probably doesnt refer to all the fields that you're using later in the postProcess, so splunk will not have extracted those fields in the job.

There are also two autorun="True" attributes which will make the UI slightly slower (you should only use one per branch)

But again, plan to spend an hour or two reading through the example views and the documentation in the UI examples app and a lot of this will become clearer.

0 Karma
Reply

berndg
Engager
‎01-04-2011 09:30 AM

Thank you for the hints. I didn't know that a SavedSearch has always a timeRange. Good to know!
All the fields I use in PostProcess seems to be extracted (I'm able to output them in a table inside a PostProcess).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...