Splunk Search

Is it possible to reuse the same raw search results multiple times, using different postprocessing?

Glenn
Builder

I'm trying to make a view/dashboard that contains a lot of panels showing different views of basically the same search. This search is quite heavy, and takes a long time, as it analyses GBs of data looking for transactions.

I am currently using four panels on my view, and each panel runs its own instance of the search, differing slightly only with the final piped search commands (count of all transactions, timechart average duration, timechart max duration, and a table listing all transactions with duration greater than 2).

I understand I could reuse the search text using a macro, but what I want to use is the actual results of the underlying search passed through transaction, and then have each of the different view panels use the underlying transaction results, and only apply its own trailing commands to transform the data as required.

It seems wrong to have to run such a heavy search multiple times, overloading the Splunk server unneccessarily, when all I need to do is apply a couple of different things to the results. Independently of the transaction search, these would complete very quickly.

What do I need to do to achieve this?

gkanapathy
Splunk Employee
Splunk Employee

As others have noted, "searchPostProcess" in Simple XML (and "HiddenPostProcess" in Advanced XML) do what you ask. However, you should be aware that currently (version 4.1.4) only up to 10,000 results/events will be passed from the base search to any postprocessing search, so if your base search returns more than this, it won't be terribly useful.

pde
Path Finder

Sure. What you're looking for is 'searchPostProcess'. The best way to understand this is to get the "UI Examples for 4.1" application from splunkbase. The specific technique you want is shown in the dashboard called "Using postProcess on Dashboards" under the "Advanced XML" tab.

Paolo_Prigione
Builder

I think the best help here is to refer you to these docs pages:

  1. How to drive multiple panels from one search (scroll to: "single-search, multi-post process")
  2. How to use one search for a whole dashboard.

The former makes examples with forms and simple views, the latter uses advanced views. In both cases you basically define a master search outside of the "panels" and then you apply postprocessing to its results inside of each panel.

Beware of a current bug which prevents some kinds of panel to corectly treat the postprocessing in the "simple" mode. There are some infos on this bug at this page: Splunk Forum: hiddenPostProcess

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...