Reporting

Using a Scheduled Saved Search as a base search in dashboard with post processing searches.

joydeep741
Path Finder

Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?

< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>

I tried <\ searchTemplate ref="report_name" > but did not work.

Tags (2)
0 Karma

grantjansen
Explorer

Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000

<form>
  <label>Post Process Saved Real-time Search</label>
  <description></description>
  <search id="BaseSearch" ref="RT_SavedSearch">
  </search>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="BaseSearch">
        <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="BaseSearch">
        <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

intelsubham
Explorer

Suppose your scheduled Report Name is "Report1"

First refer it under search separately:

<search id="MainSearch" ref="Report1">
      <query></query>
 </search>

Then in visualizations,

 <chart>
      <title>Events over Time</title>
      <search base="MainSearch">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

<table>
  <title>Top Sourcetypes</title>
  <search base="MainSearch">
      <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
  </search>
  <option name="displayRowNumbers">true</option>
</table>

millarma
Path Finder

Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens

|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$

Here is what it looks like in XML Look up loadjob for more info.

<panel>
  <input type="text" token="UserName" searchWhenChanged="true">
    <label>UserName</label>
    <suffix>*</suffix>
    <default>*</default>
  </input>
  <table>
    <title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
    <search>
      <query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

gjanders
SplunkTrust
SplunkTrust

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

joydeep741
Path Finder

<search> <query> does not work in splunk v6.0.
Any suggestions for my version.

0 Karma

intelsubham
Explorer

well i am using ver. 6.2.1, and it works fine. (Simple XML)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...