Dashboards & Visualizations

searchTemplate and searchPostProcess

ben_leung
Builder

Splunk version 5.0.3

I want the searchTemplate to auto start in the background, then user can select a user to query.
When running the dashboard, the searchTemplate is run but the post process is not appended to the query.

<form>
  <label>bleung_dashboard_search</label>
  <description/>
  <searchTemplate>`audit_searchlocal` 
| convert num(total_run_time) 
| eval user = if(user="n/a", null(), user) 
| `audit_rexsearch` 
| eval is_scheduled = if(search_id LIKE "scheduler%", "yes", "no") 
| stats min(_time) as _time first(user) as user first(total_run_time) as total_run_time first(is_scheduled) as is_scheduled first(search) as search by search_id 
| search user=* 
| sort - total_run_time 
| fields - search_id
  </searchTemplate>
    <earliestTime>-24h</earliestTime>
    <latestTime>-1m</latestTime>

  <fieldset submitButton="true">
    <input type="dropdown" token="user">
      <label>Users</label>
      <choice value="admin">admin</choice>
      <choice value="bleung">bleung</choice>
    </input>
  </fieldset>
  <row>
      <table>
        <searchPostProcess>search user=$user$</searchPostProcess>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
  </row>
</form>
Tags (2)
1 Solution

ben_leung
Builder

As said by somesoni2, tokens won't work with PostProcess in simple and advance xml. Instead of a static drop-down, creating individual panels for each option, until there is a workaround.

View solution in original post

0 Karma

ben_leung
Builder

@somesoni2
I used one of the examples in Sideview app and create a more dynamic approach. Let me know what you think!

<view autoCancelInterval="90" decomposeIntentions="false" isPersistable="true" isSticky="false" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" template="dashboard.html">
  <label>bleung_dashboard_search</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="filter">*</param>
  </module>
  <module name="HTML" layoutPanel="viewHeader">
    <param name="html">&lt;h1&gt;User Search&lt;/h1&gt;</param>
  </module>
  <module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="name">searchString</param>
    <param name="default">`audit_searchlocal` 
| convert num(total_run_time) 
| eval user = if(user="n/a", null(), user) 
| `audit_rexsearch` 
| eval is_scheduled = if(search_id LIKE "scheduler%", "yes", "no") 
| stats min(_time) as _time first(user) as user first(total_run_time) as total_run_time first(is_scheduled) as is_scheduled first(search) as search by search_id 
| search user=* 
| sort - total_run_time 
| fields - search_id
    </param>
    <param name="label">Search</param>
    <param name="width">350px</param>
    <module name="Button">
      <param name="allowSoftSubmit">True</param>
      <param name="label">Search</param>
      <module name="Search">
        <param name="latest">now</param>
        <param name="search">$searchString$</param>
        <param name="earliest">-24h</param>
        <module name="HTML">
          <param name="html">$results.count$ search results found</param>
        </module>
        <module name="JobProgressIndicator"/>
        <module name="TextField">
          <param name="name">postProcessString</param>
          <param name="default">search user=admin | head 5</param>
          <param name="label">Post Process</param>
          <param name="width">300px</param>
          <module name="Button">
            <param name="allowSoftSubmit">True</param>
            <param name="label">Filter</param>
            <module name="PostProcess">
              <param name="search">$postProcessString$</param>
              <module name="Pulldown">
                <param name="name">results.count</param>
                <param name="staticOptions">
                  <list>
                    <param name="value">10</param>
                  </list>
                  <list>
                    <param name="value">20</param>
                  </list>
                  <list>
                    <param name="value">50</param>
                  </list>
                  <list>
                    <param name="selected">True</param>
                    <param name="value">100</param>
                  </list>
                </param>
                <param name="label">results per page</param>
                <param name="float">right</param>
                <module name="PostProcess">
                  <param name="search">$postProcess$ | stats count</param>
                  <module name="HTML">
                    <param name="html">$results[0].count$ postprocessed results found</param>
                  </module>
                </module>
                <module name="Pager">
                  <module name="Table"/>
                  <module name="Pager"/>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

One workaround (to get rid of two panels) is to convert searchTemplate-searchPostProcess to a regular searchString within panel where the tokens work.

e.g.

<form>
  <label>bleung_dashboard_search</label>
  <description/>
  <fieldset submitButton="true">
    <input type="dropdown" token="user">
      <label>Users</label>
      <choice value="admin">admin</choice>
      <choice value="bleung">bleung</choice>
    </input>
  </fieldset>
  <row>
      <table>       
    <searchString>`audit_searchlocal` 
| convert num(total_run_time) 
| eval user = if(user="n/a", null(), user) 
| `audit_rexsearch` 
| eval is_scheduled = if(search_id LIKE "scheduler%", "yes", "no") 
| stats min(_time) as _time first(user) as user first(total_run_time) as total_run_time first(is_scheduled) as is_scheduled first(search) as search by search_id 
| search user=* 
| sort - total_run_time 
| fields - search_id |search user=$user$
  </searchString>
    <earliestTime>-24h</earliestTime>
    <latestTime>-1m</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
  </row>
</form>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Any chance you'd consider using advanced xml? With advanced xml along with Sideview Utils, you can achieve what you want here.

0 Karma

ben_leung
Builder

Yea this is how I started, I wanted to make make the base search populate first because I will have 10-15 static options/users to select. I do not plan on running the search every time when a user is selected.

Also thought of creating a scheduled saved search, but just wanted to get results when needed.

0 Karma

ben_leung
Builder

As said by somesoni2, tokens won't work with PostProcess in simple and advance xml. Instead of a static drop-down, creating individual panels for each option, until there is a workaround.

0 Karma

ben_leung
Builder

Hi somesoni2, you are right about tokens not being supported. As you know the base search is grabbing all users. I wanted a drop-down to specify a user... I guess I could create individual panels for users and just have the top 5 results for each user. It would look messy though.

Thanks for responding btw.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The searchTemplate and searchPostProcess is available in Splunk 5.x but the searchPostProcess (OR HiddenPostProcess in advanced xml) doesn't support $foo$ tokens. You have to have static PostProcess search. (You can validate that by making your searchPostProcess query static value of 'search user="admin"' )

ben_leung
Builder

Works in 6.1 and converted to advance xml, used the advance xml and tried on Splunk 5, same results. Clicking "View results" show the HiddenSearch but the HiddenPostProcess did not get searched, and no results shown on the dashboard itself.

0 Karma

ben_leung
Builder

When view results, stats table displays expected data. In dashboard, no results found.

0 Karma

ben_leung
Builder

I am guessing that the searchTemplate and searchPostProcess is not featured in version 5 of Splunk?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...