Splunk Search

View dashboard subsearches using HiddenSearch

Explorer

Hi,

I am creating a custom view dashboard. In that I'm trying to utilize the same search to extract a single value and then modify that search slightly to put the rest of the results in a column chart. I would think that this would be fairly easy, but I'm missing something. I could just have two separate searches but that would be an inefficient use of resources.

In the example below I try to create a child "HiddenSearch". I don't get any errors, but all I see in the view is "No Result Data"

Any help would be appreciated.

<view template="dashboard.html">
   <label>myapp Ideitity Verification</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" group="Success Rate" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="GenericHeader">
         <param name="label">Succcess Rate</param>

         <module name="HiddenSearch" autoRun="True">
            <param name="search">sourcetype="myapp_app_audit" End | stats count(eval((operation="ResetPIN" AND ref_step="Resolve" AND step="CheckAnswer") OR (operation="SetACI" AND ref_step="Resolve" AND (step="NeedNewCID" OR step="ForgotCID")) OR (operation="CreatePIN" AND ref_step="Resolve" AND match(step,"Register*")) OR (operation="ChangePIN" AND step="Change" AND ref_step="Resolve"))) AS Succeeded, count(eval(ref_step="InitNoAuth" AND step="Resolve")) AS Attempted | eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

            <module name="SingleValue">
               <param name="beforeLabel">Success Rate</param>

               <param name="format">percent</param>

               <param name="field">SuccessRate</param>
            </module>

            <module name="HiddenSearch" autoRun="True">
               <param name="search">|fields Attempted Failed Succeeded|untable "status" "status" "count"</param>

               <module name="HiddenChartFormatter">
                  <param name="chart">column</param>

                  <param name="primaryAxisTitle.text">Accumulated Totals</param>

                  <param name="secondaryAxisTitle.text">Transaction Count</param>

                  <param name="legend.placement">none</param>

                  <module name="JobProgressIndicator" />

                  <module name="FlashChart">
                     <param name="width">100%</param>

                     <param name="height">200px</param>
                  </module>

                  <module name="SimpleResultsTable" />
               </module>
            </module>
         </module>
      </module>
   </module>
</view>
1 Solution

Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

View solution in original post

Explorer

I'm leaving the full code for what I am trying to do now that I know "HiddenPostProcess" exists. The |untable command seems to not work.

<view template="dashboard.html">
   <label>Test Area</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="HiddenSearch" autoRun="True">
         <param name="search">(sourcetype="corps_app_error" NOT monitoring:W_ResponseTimeThresholdExceeded NOT common:F_RMDC_MissingRequiredValue NOT "Relationship * not supported") OR (sourcetype="corps_app_audit" End step="Resolve") | transaction ReqId | stats count(ReqId) AS Attempted, count(eval(NOT sourcetype="corps_app_error")) AS Succeeded |eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

         <module name="SingleValue">
            <param name="beforeLabel">Success Rate</param>

            <param name="format">percent</param>

            <param name="field">SuccessRate</param>
         </module>

         <module name="HiddenPostProcess">
            <param name="search">|fields Attempted Failed Succeeded |untable "status" "status" "count"</param>

            <module name="HiddenChartFormatter">
               <param name="chart">column</param>

               <param name="primaryAxisTitle.text">Identify User</param>

               <param name="secondaryAxisTitle.text">Transaction Count</param>

               <param name="legend.placement">None</param>

               <module name="JobProgressIndicator" />

               <module name="FlashChart">
                  <param name="width">100%</param>

                  <param name="height">200px</param>
               </module>

               <module name="SimpleResultsTable" />
            </module>
         </module>
      </module>
   </module>
</view>
0 Karma

Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

View solution in original post

Explorer

Actually I kind of get what you are saying. I can make the chart if I use "Units" but how do I make the chart use that as my x-axis. It certainly isn't doing it in any way I can figure out.

0 Karma

Explorer

Well, my table got messed up in comment formatting. It's basically a table with headers status & count. Then row 1, 2, 3.

0 Karma

Explorer

I don't think that's right for what I am trying to do. My chart is a summation, not a chart over time. I have only been able to produce the chart I want by getting it in the following format.

status      count

1 Attempted 658
2 Failed 122
3 Succeeded 536

So, I'm still a little stuck in that area. When I run this from the search app it works great and the chart is exactly what I want. When I do it in the "view" it gets messed up.

0 Karma

Explorer

Thank you for that. I see that documentation. It is only partially working for me though. The initial search works and then it appears that the HiddenPostProcess kind of works, but it seems to stumble. I'm trying to turn this into a column chart and the use of the |untable command doesn't reorient the table like it does in the search bar.

Any suggestions for a different way to produce the same table is certainly welcome.

0 Karma

Splunk Employee
Splunk Employee

Oh, that's interesting...it's not in the online docs. I'll file a bug on that. In general, you can see docs for the modules in your own Splunk instance by going to http://localhost:8000/modules though.

0 Karma

Explorer

Where is this documented?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!