Dashboards & Visualizations

Using searchPostProcess with input tokens

ruiaires
Path Finder

I need to drive 2 different searches from a form input.
It's a very basic dashboard where I need a configurable timechart (where span and aggregation are chosen from input boxes)

However, I need to also display a total count single value

Using the info on the documentation I tried to use FormSearchPostProcess but it won't accept input tokens:

<searchPostProcess>stats count</searchPostProcess> <--- OK

<searchPostProcess>timechart count span=$span$ $aggr$</searchPostProcess> <--- ERROR

I can solve the problem doing 2 parallel searches (repeating searchTemplate twice) but it's not so optimal, although all this data is coming from Summary Indexes (and the queries are very fast)

To do this, must I use AdvancedXML ?

1 Solution

Kyle_Jackson
Explorer

You can use multiple searchTemplate tags throughout your form. No need for PostProcess. I had this same issue, removed my searchtemplate that had the beginning of my search and just changed the searchPostProcess tags with searchTemplate. and wa-la

View solution in original post

swdonline
Path Finder

Can you do the timechart in your original search template and then only post process for the stats? Something like this:

<searchTemplate>your search | timechart count span=$span$ $aggr$</searchTemplate>

<searchPostProcess>stats count</searchPostProcess>

Or is it that you only want to aggregate on the timechart, but not the stats chart? What kind of values are you using for $aggr$?

Alternately, the problem might be that the field being used for $aggr$ is not present in your postprocess. So perhaps adding all the possible fields from your dropdown to the search template will help. Something like this:

<searchTempate>your search | fields aggrfield1 aggrfield2 ...</searchTemplate>

0 Karma

sideview
SplunkTrust
SplunkTrust

Note that your postprocess there will simply count the number of timebuckets coming out of the timechart, not the number of actual events being counted in the timechart. read the postprocess documentation in Sideview Utils ("Key Techniques > Using PostProcess > Introduction" to get a good overview and an illustration of various pitfalls involved.

0 Karma

Kyle_Jackson
Explorer

You can use multiple searchTemplate tags throughout your form. No need for PostProcess. I had this same issue, removed my searchtemplate that had the beginning of my search and just changed the searchPostProcess tags with searchTemplate. and wa-la

sideview
SplunkTrust
SplunkTrust

In the core Splunk UI, the HiddenPostProcess module is not capable of doing dynamic token replacement (aka $foo$ replacement) at all. Even if you switch to advanced XML, you'll still have to run two searches to get what you need.

However you might want to check out the Sideview Utils app on Splunkbase. Sideview Utils brings a number of new modules into the arsenal, and it also contains its own documentation about how to use these modules in your views. In particular, it packages a 'PostProcess' module that is intended to supercede the 'HiddenPostProcess' module. And 'PostProcess' accepts $foo$ tokens in it's 'search' param. In fact the vast majority of params across all of the Sideview Utils modules accept $foo$ tokens.

bbingham
Builder

To my knowledge, the module "HiddenPostProcess" is only available in the advanced XML.

Here's the page about it in the docs: Post Process

What I want really stress, the post process module needs to have a search as a parent search that will construct the data needed for all of the following searches, not the actual events. In your case, your parent search would be best to have timechart count span=$span$ $aggr$ appended to it, and then do a simple | stats sum(count) as your post process.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...