Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run a postprocess search to load a table taking values from a static pulldown?

harshal_chakran
Builder
‎07-07-2015 02:13 AM

Hi,

I am trying to achieve the below format in advanced xml
--MainSearch
---Pulldown with static options
----Postprocess search to load a table taking values from pulldown

When I do this, the postprocess search is not running.
Can anybody please help me with the sample code or the correct format to use?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2015 06:40 AM

I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, saytokenx, and have mis-spelled it somewhere (e.g. Tokenx, tokenX or even toknex) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-07-2015 05:19 AM

Advanced XML is deprecated. Use Simple XML or HTML Dashboards. Here are some bits of code that will help, you will need to add other tags to get it to work correctly.

Here is the dropdown.

 <input type="dropdown" token="host">
  <label>Host</label>
  <search>
    <query>index=_internal |head 20 | stats count by host</query>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
</input>

This is the base search that uses the dropdown.

<search id="base_stats">
<query>index=_internal host=$host$ | head 10</query>
</search>

Here is the table xml that is used to do the postprocess and the table visualization.

<table>
    <title>Sourcetypes</title>
    <search base="base_stats">
      <query>stats count by sourcetype</query>
    </search>
  </table>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...