Splunk Search

How to view dashboard subsearches using HiddenSearch?

pravusnex
Explorer

Hi,

I am creating a custom view dashboard. In that I'm trying to utilize the same search to extract a single value and then modify that search slightly to put the rest of the results in a column chart. I would think that this would be fairly easy, but I'm missing something. I could just have two separate searches but that would be an inefficient use of resources.

In the example below I try to create a child "HiddenSearch". I don't get any errors, but all I see in the view is "No Result Data"

Any help would be appreciated.

<view template="dashboard.html">
   <label>myapp Ideitity Verification</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" group="Success Rate" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="GenericHeader">
         <param name="label">Succcess Rate</param>

         <module name="HiddenSearch" autoRun="True">
            <param name="search">sourcetype="myapp_app_audit" End | stats count(eval((operation="ResetPIN" AND ref_step="Resolve" AND step="CheckAnswer") OR (operation="SetACI" AND ref_step="Resolve" AND (step="NeedNewCID" OR step="ForgotCID")) OR (operation="CreatePIN" AND ref_step="Resolve" AND match(step,"Register*")) OR (operation="ChangePIN" AND step="Change" AND ref_step="Resolve"))) AS Succeeded, count(eval(ref_step="InitNoAuth" AND step="Resolve")) AS Attempted | eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

            <module name="SingleValue">
               <param name="beforeLabel">Success Rate</param>

               <param name="format">percent</param>

               <param name="field">SuccessRate</param>
            </module>

            <module name="HiddenSearch" autoRun="True">
               <param name="search">|fields Attempted Failed Succeeded|untable "status" "status" "count"</param>

               <module name="HiddenChartFormatter">
                  <param name="chart">column</param>

                  <param name="primaryAxisTitle.text">Accumulated Totals</param>

                  <param name="secondaryAxisTitle.text">Transaction Count</param>

                  <param name="legend.placement">none</param>

                  <module name="JobProgressIndicator" />

                  <module name="FlashChart">
                     <param name="width">100%</param>

                     <param name="height">200px</param>
                  </module>

                  <module name="SimpleResultsTable" />
               </module>
            </module>
         </module>
      </module>
   </module>
</view>
Labels (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

View solution in original post

pravusnex
Explorer

I'm leaving the full code for what I am trying to do now that I know "HiddenPostProcess" exists. The |untable command seems to not work.

<view template="dashboard.html">
   <label>Test Area</label>

   <module name="AccountBar" layoutPanel="appHeader" />

   <module name="AppBar" layoutPanel="navigationHeader" />

   <module name="Message" layoutPanel="messaging">
      <param name="filter">*</param>

      <param name="clearOnJobDispatch">False</param>

      <param name="maxSize">1</param>
   </module>

   <module name="TitleBar" layoutPanel="viewHeader">
      <param name="actionsMenuFilter">dashboard</param>
   </module>

   <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
      <param name="selected">Last 7 days</param>

      <param name="searchWhenChanged">True</param>

      <module name="HiddenSearch" autoRun="True">
         <param name="search">(sourcetype="corps_app_error" NOT monitoring:W_ResponseTimeThresholdExceeded NOT common:F_RMDC_MissingRequiredValue NOT "Relationship * not supported") OR (sourcetype="corps_app_audit" End step="Resolve") | transaction ReqId | stats count(ReqId) AS Attempted, count(eval(NOT sourcetype="corps_app_error")) AS Succeeded |eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>

         <module name="SingleValue">
            <param name="beforeLabel">Success Rate</param>

            <param name="format">percent</param>

            <param name="field">SuccessRate</param>
         </module>

         <module name="HiddenPostProcess">
            <param name="search">|fields Attempted Failed Succeeded |untable "status" "status" "count"</param>

            <module name="HiddenChartFormatter">
               <param name="chart">column</param>

               <param name="primaryAxisTitle.text">Identify User</param>

               <param name="secondaryAxisTitle.text">Transaction Count</param>

               <param name="legend.placement">None</param>

               <module name="JobProgressIndicator" />

               <module name="FlashChart">
                  <param name="width">100%</param>

                  <param name="height">200px</param>
               </module>

               <module name="SimpleResultsTable" />
            </module>
         </module>
      </module>
   </module>
</view>
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You need to use the HiddenPostProcess module to apply commands to data from a higher-level search. HiddenSearch will just run a different search from scratch, and in this case, just running the command |fields ... will produce no data.

Update:

The charts do not want data in untabled format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable, you should use:

| fields Attempted Succeeded Failed | eval Units="count"

The name of the field and value don't matter.

pravusnex
Explorer

Actually I kind of get what you are saying. I can make the chart if I use "Units" but how do I make the chart use that as my x-axis. It certainly isn't doing it in any way I can figure out.

0 Karma

pravusnex
Explorer

Well, my table got messed up in comment formatting. It's basically a table with headers status & count. Then row 1, 2, 3.

0 Karma

pravusnex
Explorer

I don't think that's right for what I am trying to do. My chart is a summation, not a chart over time. I have only been able to produce the chart I want by getting it in the following format.

status      count

1 Attempted 658
2 Failed 122
3 Succeeded 536

So, I'm still a little stuck in that area. When I run this from the search app it works great and the chart is exactly what I want. When I do it in the "view" it gets messed up.

0 Karma

pravusnex
Explorer

Thank you for that. I see that documentation. It is only partially working for me though. The initial search works and then it appears that the HiddenPostProcess kind of works, but it seems to stumble. I'm trying to turn this into a column chart and the use of the |untable command doesn't reorient the table like it does in the search bar.

Any suggestions for a different way to produce the same table is certainly welcome.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oh, that's interesting...it's not in the online docs. I'll file a bug on that. In general, you can see docs for the modules in your own Splunk instance by going to http://localhost:8000/modules though.

0 Karma

pravusnex
Explorer

Where is this documented?

0 Karma

uf100272
Loves-to-Learn Lots

addtotals

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...