Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Calling multiple Search Templates in a form
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to call to 2 search template in the same form and then display them with different charts.
However, I found the charts in lower part can't show anything unless if remove the first search Template the corresponding charts.
Is this possible to do?
Please suggest.
Thanks!!
This is the code:
<form>
<label>Simple select drop down</label>
<!-- define master search template, with replacement tokens delimited with $ -->
<searchName>abc</searchName>
<searchTemplate>sourcetype="search1"</searchTemplate>
<earliestTime>-300d</earliestTime>
<latestTime>-0d</latestTime>
<searchTemplate>"search2"</searchTemplate>
<earliestTime>-300d</earliestTime>
<latestTime>-0d</latestTime>
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="dropdown" token="UserName">
<label>Select user</label>
<populatingSearch fieldForValue="UserName" fieldForLabel="UserName"><![CDATA[|savedsearch Details|top UserName]]></populatingSearch>
<choice value="%">All</choice>
</input>
</fieldset>
<row>
<chart>
<title>TimeChart</title>
<option name="charting.chart">pie</option>
</chart>
<chart>
<title>TimeChart</title>
<option name="charting.chart">bar</option>
</chart>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Move the searches inside the charts.
i.e.
<chart>
<searchTemplate>sourcetype="search1"</searchTemplate>
<earliestTime>-300d</earliestTime>
<latestTime>-0d</latestTime>
<title>TimeChart</title>
<option name="charting.chart">pie</option>
</chart>
If you have 2 search templates at the same level, one will clobber the other.
If you view the advanced xml (add ?showsource=t to the end of your views URL) you'll see what the simple XML gets converted to.
Whole sections of your forms xml mysteriously disappear.
Here's a working example :
<form>
<label>Dashboard to convert to Form Search</label>
<fieldset>
<input type="text" token="series">
<label>sourcetype</label>
<default/>
<seed>splunkd</seed>
<suffix>*</suffix>
</input>
</fieldset>
<row>
<chart>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(eps) </searchTemplate>
<earliestTime>-1w</earliestTime>
<latestTime>-1d</latestTime>
<option name="charting.chart">line</option>
</chart>
<chart>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(kbps) </searchTemplate>
<earliestTime>-1d</earliestTime>
<latestTime>now</latestTime>
<option name="charting.chart">column</option>
</chart>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Move the searches inside the charts.
i.e.
<chart>
<searchTemplate>sourcetype="search1"</searchTemplate>
<earliestTime>-300d</earliestTime>
<latestTime>-0d</latestTime>
<title>TimeChart</title>
<option name="charting.chart">pie</option>
</chart>
If you have 2 search templates at the same level, one will clobber the other.
If you view the advanced xml (add ?showsource=t to the end of your views URL) you'll see what the simple XML gets converted to.
Whole sections of your forms xml mysteriously disappear.
Here's a working example :
<form>
<label>Dashboard to convert to Form Search</label>
<fieldset>
<input type="text" token="series">
<label>sourcetype</label>
<default/>
<seed>splunkd</seed>
<suffix>*</suffix>
</input>
</fieldset>
<row>
<chart>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(eps) </searchTemplate>
<earliestTime>-1w</earliestTime>
<latestTime>-1d</latestTime>
<option name="charting.chart">line</option>
</chart>
<chart>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | timechart avg(kbps) </searchTemplate>
<earliestTime>-1d</earliestTime>
<latestTime>now</latestTime>
<option name="charting.chart">column</option>
</chart>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @jonuwz this helps with my problem as well.
What if you want to use one search for several rows and another search for a few more rows.
Using your example at what level above the row would you put the template and still allow to run separately and only once each time the dashboard is refreshed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do the separate searchtemplate work in this example? Is there any performance profit? I do not understand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it the same to separate searches in every chart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
That worked! 🙂
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
Splunk Answers Content Calendar, July Edition I
