Splunk Search

Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I've put together the following form.

<form>
      <label>Simple select drop down</label>
      <!-- define master search template, with replacement tokens delimited with $ -->
      <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!="" 
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange  
    |sort +author
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
      <fieldset>
        <!-- Define a simple dropdown form driven by a search -->
        <input type="time" token="timerange">
          <label>Select the Time Range</label>
          <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
          </default>
        </input>
        <input type="dropdown" token="author">
          <label>Select series</label>
          <search>
            <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$
    |search NOT (author="splunk-system-user" OR author="monitoring")    
    |search title!=""  
    |stats count by author</query>
          </search>
          <choice value="*">Any</choice>
          <fieldForLabel>author</fieldForLabel>
          <fieldForValue>author</fieldForValue>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>Splunk Searches Performed - Results for $author$</title>
            <search base="global">
            </search>
            <option name="count">50</option>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
          </table>
        </panel>
      </row>
    <row>
        <panel>
          <table>
            <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
            <search>
              <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!=""
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs 
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange 
    |sort +author 
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
    </searchTemplate>
            </search>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="drilldown">cell</option>
            <option name="dataOverlayMode">none</option>
            <option name="count">10</option>
          </table>
        </panel>
      </row>
    </form>

Although the drop-down menus work and the searches return the desired results, the problem I have relates to the second panel in the dashboard.

When I select the values from the drop-down menus on the dashboard, the search from the first panel runs in the second, rather than the search I've coded into the XML.

I suspect it's because each search is within the same named "SearchTemplate", but I cannot be sure.

I just wondered whether someone may be able to look at this please and offer some guidance on how I can overcome this issue.

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

Hi, thank you for looking at my post.

I actually found the solution here, so I moved the "Search Templates" between the tags.

So my final code was:

<form>
  <label>Splunk User Activity Monitoring</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="time" token="timerange">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author">
      <label>Select a User</label>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring")     |search title!=""   |stats count by author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|sort +author
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <title>Splunk Searches Performed - Results for $author$</title>
        <option name="count">50</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange 
|sort +author 
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches Taking Longer Than 5 Minutes To Complete</title>
        <searchTemplate>|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs   
|where duration>=300 
|convert rmunit(duration) as numSecs   
|eval stringSecs=tostring(duration,"duration")   
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")  
|rex field=stringSecs "\.(?<ms>\d{2})" 
| rex field=stringSecs "(?<myRest>.+)s\."   
|eval stringSecs=myRest. "s " .ms. "ms" 
|sort +author   
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Kind Regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

Hi, thank you for looking at my post.

I actually found the solution here, so I moved the "Search Templates" between the tags.

So my final code was:

<form>
  <label>Splunk User Activity Monitoring</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="time" token="timerange">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author">
      <label>Select a User</label>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring")     |search title!=""   |stats count by author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|sort +author
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <title>Splunk Searches Performed - Results for $author$</title>
        <option name="count">50</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange 
|sort +author 
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches Taking Longer Than 5 Minutes To Complete</title>
        <searchTemplate>|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs   
|where duration>=300 
|convert rmunit(duration) as numSecs   
|eval stringSecs=tostring(duration,"duration")   
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")  
|rex field=stringSecs "\.(?<ms>\d{2})" 
| rex field=stringSecs "(?<myRest>.+)s\."   
|eval stringSecs=myRest. "s " .ms. "ms" 
|sort +author   
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Kind Regards

Chris

View solution in original post

0 Karma

ngatchasandra
Builder

Hi IRHM73,

Try to remove

 <search>  </search> 

and write only:

 <searchTemplate>|rest /services/search/jobs 
     |search NOT (author="splunk-system-user" OR author="monitoring")
     |search title!=""
     |search author =$author$ 
     |addtotals fieldname=duration *duration_secs 
     |convert rmunit(duration) as numSecs 
     |eval stringSecs=tostring(duration,"duration")  
     |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
     |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
     |eval stringSecs=myRest. "s " .ms. "ms" 
     |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
     |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
     |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(latestTime) 
     |eval daterange= "From: ".earliestTime.", To: ".latestTime 
     |makemv delim=", " daterange 
     |sort +author 
     |table author eai:acl.app title daterange  NoOfDays stringSecs 
     |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
     </searchTemplate>
0 Karma

IRHM73
Motivator

Hi, thank you for coming back to me with this. You must have been quick off the mark because I had deleted the question having found a solution which I'll post in the answer section.

Kind Regards

Chris

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!