Solved: Example: Simple XML using PostProcess?

the_wolverine · ‎03-02-2015

Can someone post a simple example? The documentation uses Advanced XML as the example: http://docs.splunk.com/Documentation/Splunk/6.0.5/AdvancedDev/PostProcess

Raghav2384 · ‎03-02-2015

Hey, here's a simple syntax

<!-- My parent search -->
<search id="xyz">
  <query>.....|stats count by a,b,c,d,e,f,_time</query>
</search>
<!-- post processing reference -->
<chart>
  <search base="xyz">
    <query> timechart count by a span=15m</query>
  </search>
</chart>
<chart>
  <search base="xyz">
    <query>chart count over a by b</query>
  </search>
</chart>

Hope this helps!

View solution in original post

s2_splunk · ‎03-02-2015

From the Splunk 6.x Dashboard Examples app here:

<form>
  <label>Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline.</description>
  <searchTemplate>index=_internal | head 1000</searchTemplate>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-24h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Events over Time</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes</title>
      <searchPostProcess>top limit=100 sourcetype | eval percent = round(percent,2)</searchPostProcess>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

skawasaki_splun · ‎06-25-2015

FYI this is the syntax for Splunk 6.0 and 6.1, which only allowed one base search. Splunk 6.2 allows multiple base search (distinguished by ids).

Raghav2384 · ‎03-02-2015

Hey, here's a simple syntax

<!-- My parent search -->
<search id="xyz">
  <query>.....|stats count by a,b,c,d,e,f,_time</query>
</search>
<!-- post processing reference -->
<chart>
  <search base="xyz">
    <query> timechart count by a span=15m</query>
  </search>
</chart>
<chart>
  <search base="xyz">
    <query>chart count over a by b</query>
  </search>
</chart>

Hope this helps!

raj_mpl · ‎10-01-2018

with global and local time inputs the post processing mechanism not working .. why ?

androchentw · ‎10-26-2017

FYI: Multiple base searches is supported in Splunk 6.2+, and the example of official document is at Dashboards and Visualizations - Searches power dashboards and forms

link doesn't seem to work so I'll just put it here

1: https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html

2: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_examples

the_wolverine · ‎04-14-2016

FYI: This syntax is only supported in Splunk 6.2+

Example: Simple XML using PostProcess?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation