Splunk Search

Can I have multiple panels using the same inline search result?

edrivera3
Builder

Hi

I have five panels in a dashboard and three of those five panels are using the same inline search results. Is there a way to make Splunk to run one inline search and use its result to build multiple panels?

1 Solution

jeffland
SplunkTrust
SplunkTrust

You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says

"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."

Here's what you need to do in XML:

<dashboard>
    <search id="base">
        <!-- The base query as you have it in the search tag of your visualization -->
        <query>index = foo</query>
            <earliest>-8h@h</earliest>
            <latest>now</latest>
        </search>
    <row>
        <panel>
            <chart>
                <search base="base">
                    <!-- Any postprocessing goes here, we don't have any so this is empty -->
                </search>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <!-- ...And all the other stuff you want to do. -->
            </chart>
            <chart>
                <search base="base">
                </search>
                <!-- You get the idea. -->
            </chart>
        </panel>
    </row>
</dashboard>

As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.

View solution in original post

jeffland
SplunkTrust
SplunkTrust

You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says

"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."

Here's what you need to do in XML:

<dashboard>
    <search id="base">
        <!-- The base query as you have it in the search tag of your visualization -->
        <query>index = foo</query>
            <earliest>-8h@h</earliest>
            <latest>now</latest>
        </search>
    <row>
        <panel>
            <chart>
                <search base="base">
                    <!-- Any postprocessing goes here, we don't have any so this is empty -->
                </search>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <!-- ...And all the other stuff you want to do. -->
            </chart>
            <chart>
                <search base="base">
                </search>
                <!-- You get the idea. -->
            </chart>
        </panel>
    </row>
</dashboard>

As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.

edrivera3
Builder

Thanks for you answer!

0 Karma

napomokoetle
Communicator
0 Karma

stephane_cyrill
Builder

Ok edrivera3,this is an other way to solve the problem.

1-DO AN INLINE SEARCH GLOBALLY WITHOUT TOKEN (base search).From this can derive many postprocess searches(many panels).

2- DO THE POSTPROCESS AN FILTER THE RESULT OF THAT BASE SEARCH(it can be a savedsearch)

3-the postprocess search is pipe at the end like this for exemple:
..........|search $host$

see this

docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/PostProcess

0 Karma

stephane_cyrill
Builder

Hi to use savedsearch with you token,try in the searchString tag,do this:

|savedsearch report_name ....... l..........|..

you can put you token any where like in a normal query.

It may be necessary to put the token in quote like this for exemple: status="$status$"

NOTE: IF YOU ARE USING splunk 6.2.... MAKE SURE YOU ENCLOSE THE QUERY BY

query..../query

instead of

searchString.......searchString

0 Karma

stephanefotso
Motivator

Yes of course! You can call your saved search in each panel.
Here is an example on how you can call your saved search. just do the same thing on each panel.

<dashboard>
  <label>Inline Search</label>
  <description>Table, Chart and Event panels powered by inline searches.</description>

  <row>
   <panel>
    <table>
      <title>Report Table</title>
      <search ref="reporting_search_table"/>
      <option name="count">5</option>
    </table>
    <chart>
      <title>Report Chart</title>
      <search ref="reporting_search_timechart"/>
      <option name="charting.chart">area</option>
    </chart>
     </panel>
  </row>

  <row>
    <panel>
    <event>
      <title>Report Event</title>
      <search ref="nonreporting_search"/>
      <option name="count">5</option>
    </event>
    </panel>
  </row>
</dashboard>
SGF
0 Karma

edrivera3
Builder

Are you referring to report when you say saved search? If so I haven't found a way to use report while keeping my tokens for text input.

0 Karma

stephanefotso
Motivator

ok. So you are using a selection menu! There is a way to do it. Insert Tokens in your search query before save it as a Report. It will work.

SGF
0 Karma

edrivera3
Builder

No. That doesn't work. If I insert the token before save it no result will show in the dashboard. This my search query and it would not produce results either in search app or dashboard because there is no error_number = $ error_number$.

index="job_event" error_number=$ error_number$ | stats values(test_number) as test_number by airplane_number

The only way I could make this work is by doing an inline search in the dashboard.

0 Karma

edrivera3
Builder

I tried adding quotation marks before the dollar signs in the token or adding an extra dollar sign but nothing works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...