Splunk Search
Highlighted

Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

Motivator

Hi, I wonder whether someone may be able to help me please.

I've put together the following form.

<form>
      <label>Simple select drop down</label>
      <!-- define master search template, with replacement tokens delimited with $ -->
      <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!="" 
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange  
    |sort +author
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
      <fieldset>
        <!-- Define a simple dropdown form driven by a search -->
        <input type="time" token="timerange">
          <label>Select the Time Range</label>
          <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
          </default>
        </input>
        <input type="dropdown" token="author">
          <label>Select series</label>
          <search>
            <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$
    |search NOT (author="splunk-system-user" OR author="monitoring")    
    |search title!=""  
    |stats count by author</query>
          </search>
          <choice value="*">Any</choice>
          <fieldForLabel>author</fieldForLabel>
          <fieldForValue>author</fieldForValue>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>Splunk Searches Performed - Results for $author$</title>
            <search base="global">
            </search>
            <option name="count">50</option>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
          </table>
        </panel>
      </row>
    <row>
        <panel>
          <table>
            <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
            <search>
              <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!=""
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs 
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange 
    |sort +author 
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
    </searchTemplate>
            </search>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="drilldown">cell</option>
            <option name="dataOverlayMode">none</option>
            <option name="count">10</option>
          </table>
        </panel>
      </row>
    </form>

Although the drop-down menus work and the searches return the desired results, the problem I have relates to the second panel in the dashboard.

When I select the values from the drop-down menus on the dashboard, the search from the first panel runs in the second, rather than the search I've coded into the XML.

I suspect it's because each search is within the same named "SearchTemplate", but I cannot be sure.

I just wondered whether someone may be able to look at this please and offer some guidance on how I can overcome this issue.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

Hi IRHM73,

Try to remove

 <search>  </search> 

and write only:

 <searchTemplate>|rest /services/search/jobs 
     |search NOT (author="splunk-system-user" OR author="monitoring")
     |search title!=""
     |search author =$author$ 
     |addtotals fieldname=duration *duration_secs 
     |convert rmunit(duration) as numSecs 
     |eval stringSecs=tostring(duration,"duration")  
     |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
     |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
     |eval stringSecs=myRest. "s " .ms. "ms" 
     |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
     |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
     |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(latestTime) 
     |eval daterange= "From: ".earliestTime.", To: ".latestTime 
     |makemv delim=", " daterange 
     |sort +author 
     |table author eai:acl.app title daterange  NoOfDays stringSecs 
     |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
     </searchTemplate>
0 Karma
Highlighted

Re: Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

Motivator

Hi, thank you for coming back to me with this. You must have been quick off the mark because I had deleted the question having found a solution which I'll post in the answer section.

Kind Regards

Chris

0 Karma
Highlighted

Re: Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

Motivator

Hi, thank you for looking at my post.

I actually found the solution here, so I moved the "Search Templates" between the tags.

So my final code was:

<form>
  <label>Splunk User Activity Monitoring</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="time" token="timerange">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author">
      <label>Select a User</label>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring")     |search title!=""   |stats count by author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|sort +author
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <title>Splunk Searches Performed - Results for $author$</title>
        <option name="count">50</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange 
|sort +author 
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches Taking Longer Than 5 Minutes To Complete</title>
        <searchTemplate>|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs   
|where duration>=300 
|convert rmunit(duration) as numSecs   
|eval stringSecs=tostring(duration,"duration")   
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")  
|rex field=stringSecs "\.(?<ms>\d{2})" 
| rex field=stringSecs "(?<myRest>.+)s\."   
|eval stringSecs=myRest. "s " .ms. "ms" 
|sort +author   
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Kind Regards

Chris

View solution in original post

0 Karma