Splunk Search

How to run a postprocess search to load a table taking values from a static pulldown?

harshal_chakran
Builder

Hi,

I am trying to achieve the below format in advanced xml
--MainSearch
---Pulldown with static options
----Postprocess search to load a table taking values from pulldown

When I do this, the postprocess search is not running.
Can anybody please help me with the sample code or the correct format to use?

0 Karma

woodcock
Esteemed Legend

I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, saytokenx, and have mis-spelled it somewhere (e.g. Tokenx, tokenX or even toknex) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Advanced XML is deprecated. Use Simple XML or HTML Dashboards. Here are some bits of code that will help, you will need to add other tags to get it to work correctly.

Here is the dropdown.

 <input type="dropdown" token="host">
  <label>Host</label>
  <search>
    <query>index=_internal |head 20 | stats count by host</query>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
</input>

This is the base search that uses the dropdown.

<search id="base_stats">
<query>index=_internal host=$host$ | head 10</query>
</search>

Here is the table xml that is used to do the postprocess and the table visualization.

<table>
    <title>Sourcetypes</title>
    <search base="base_stats">
      <query>stats count by sourcetype</query>
    </search>
  </table>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...