Splunk Search

Using multiple searchTemplates in a dashboard, why is the search from the first panel being run in the second panel?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I've put together the following form.

<form>
      <label>Simple select drop down</label>
      <!-- define master search template, with replacement tokens delimited with $ -->
      <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!="" 
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange  
    |sort +author
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
      <fieldset>
        <!-- Define a simple dropdown form driven by a search -->
        <input type="time" token="timerange">
          <label>Select the Time Range</label>
          <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
          </default>
        </input>
        <input type="dropdown" token="author">
          <label>Select series</label>
          <search>
            <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$
    |search NOT (author="splunk-system-user" OR author="monitoring")    
    |search title!=""  
    |stats count by author</query>
          </search>
          <choice value="*">Any</choice>
          <fieldForLabel>author</fieldForLabel>
          <fieldForValue>author</fieldForValue>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>Splunk Searches Performed - Results for $author$</title>
            <search base="global">
            </search>
            <option name="count">50</option>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
          </table>
        </panel>
      </row>
    <row>
        <panel>
          <table>
            <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
            <search>
              <searchTemplate>|rest /services/search/jobs 
    |search NOT (author="splunk-system-user" OR author="monitoring")
    |search title!=""
    |search author =$author$ 
    |addtotals fieldname=duration *duration_secs 
    |convert rmunit(duration) as numSecs 
    |eval stringSecs=tostring(duration,"duration")  
    |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
    |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
    |eval stringSecs=myRest. "s " .ms. "ms" 
    |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
    |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
    |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
    |convert timeformat="%d/%b/%Y" ctime(latestTime) 
    |eval daterange= "From: ".earliestTime.", To: ".latestTime 
    |makemv delim=", " daterange 
    |sort +author 
    |table author eai:acl.app title daterange  NoOfDays stringSecs 
    |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
    </searchTemplate>
            </search>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="drilldown">cell</option>
            <option name="dataOverlayMode">none</option>
            <option name="count">10</option>
          </table>
        </panel>
      </row>
    </form>

Although the drop-down menus work and the searches return the desired results, the problem I have relates to the second panel in the dashboard.

When I select the values from the drop-down menus on the dashboard, the search from the first panel runs in the second, rather than the search I've coded into the XML.

I suspect it's because each search is within the same named "SearchTemplate", but I cannot be sure.

I just wondered whether someone may be able to look at this please and offer some guidance on how I can overcome this issue.

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

Hi, thank you for looking at my post.

I actually found the solution here, so I moved the "Search Templates" between the tags.

So my final code was:

<form>
  <label>Splunk User Activity Monitoring</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="time" token="timerange">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author">
      <label>Select a User</label>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring")     |search title!=""   |stats count by author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|sort +author
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <title>Splunk Searches Performed - Results for $author$</title>
        <option name="count">50</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange 
|sort +author 
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches Taking Longer Than 5 Minutes To Complete</title>
        <searchTemplate>|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs   
|where duration>=300 
|convert rmunit(duration) as numSecs   
|eval stringSecs=tostring(duration,"duration")   
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")  
|rex field=stringSecs "\.(?<ms>\d{2})" 
| rex field=stringSecs "(?<myRest>.+)s\."   
|eval stringSecs=myRest. "s " .ms. "ms" 
|sort +author   
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Kind Regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

Hi, thank you for looking at my post.

I actually found the solution here, so I moved the "Search Templates" between the tags.

So my final code was:

<form>
  <label>Splunk User Activity Monitoring</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="time" token="timerange">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author">
      <label>Select a User</label>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring")     |search title!=""   |stats count by author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|sort +author
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <title>Splunk Searches Performed - Results for $author$</title>
        <option name="count">50</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
        <searchTemplate>|rest /services/search/jobs 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange 
|sort +author 
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Searches Taking Longer Than 5 Minutes To Complete</title>
        <searchTemplate>|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$ 
|addtotals fieldname=duration *duration_secs   
|where duration>=300 
|convert rmunit(duration) as numSecs   
|eval stringSecs=tostring(duration,"duration")   
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")  
|rex field=stringSecs "\.(?<ms>\d{2})" 
| rex field=stringSecs "(?<myRest>.+)s\."   
|eval stringSecs=myRest. "s " .ms. "ms" 
|sort +author   
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Kind Regards

Chris

0 Karma

ngatchasandra
Builder

Hi IRHM73,

Try to remove

 <search>  </search> 

and write only:

 <searchTemplate>|rest /services/search/jobs 
     |search NOT (author="splunk-system-user" OR author="monitoring")
     |search title!=""
     |search author =$author$ 
     |addtotals fieldname=duration *duration_secs 
     |convert rmunit(duration) as numSecs 
     |eval stringSecs=tostring(duration,"duration")  
     |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
     |rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
     |eval stringSecs=myRest. "s " .ms. "ms" 
     |eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
     |where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(earliestTime) 
     |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
     |convert timeformat="%d/%b/%Y" ctime(latestTime) 
     |eval daterange= "From: ".earliestTime.", To: ".latestTime 
     |makemv delim=", " daterange 
     |sort +author 
     |table author eai:acl.app title daterange  NoOfDays stringSecs 
     |rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
     </searchTemplate>
0 Karma

IRHM73
Motivator

Hi, thank you for coming back to me with this. You must have been quick off the mark because I had deleted the question having found a solution which I'll post in the answer section.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...