Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Question regarding multiple dashboard inputs with the same search ref

EricWehrly
Engager
‎02-15-2017 11:36 AM

It appears on my dashboard that if I have several inputs that all have the same search ref, that the "waiting for results" rolls from one to the next and so on. The impression I get is that it's re-running the search for each one, but it should just be the same search re-used across inputs.

I tried migrating the source from
< search ref="my search">
to use a base search but it did not like that.

Am I perceiving the functionality correctly? Is there something that I can do to streamline this?

Thank you

Tags (2)
0 Karma
Reply

rjthibod
Champion
‎02-15-2017 01:05 PM

My experience is that base searches using id="search_name" and then using base="search_name" for input elements does not work.

You can get around this limitation (if it is true) by getting the job SID for the base search and then calling loadjob <YOUR_SID> for the input populating search. That does not seem to have any issue (I use it in my app on Splunk 6.x).

Something like this where the token $base_host_list_sid$ contains the SID for the base search.

<input type="dropdown" token="dashboard_host_filter" searchWhenChanged="true">
  <label>Selected Host</label>
    <search>
      <query>
        | loadjob $base_host_list_sid$
            ...
</input
0 Karma
Reply

EricWehrly
Engager
‎02-15-2017 01:45 PM

Where are you pulling the SID from? In my environment, SIDs don't really last > 7 days .... would a report have a constant SID that is updated with each run?

0 Karma
Reply

rjthibod
Champion
‎02-15-2017 02:17 PM

I think it would be helpful if you share more about the dashboard/report because report's typically don't have input options.

Also, is your base search a search in a dashboard or is it coming from a savedsearch? I think that may be where the confusion begins for me.

0 Karma
Reply

EricWehrly
Engager
‎02-15-2017 03:40 PM

The dashboard XML starts more or less like this:

<form>
  <search id="baseSearch">
    <query>(my query)</query>
    <earliest>$timePicker.earliest$</earliest>
    <latest>$timePicker.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="server1" searchWhenChanged="true">
      <label>Server 1</label>
      <search ref="Prod Boxes"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
    <input type="dropdown" token="server2" searchWhenChanged="true">
      <label>Server 2</label>
      <search ref="Prod Boxes"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
0 Karma
Reply

rjthibod
Champion
‎02-15-2017 03:47 PM

And where is ref="Prod Boxes" coming from? What is that search supposed to be?

0 Karma
Reply

EricWehrly
Engager
‎02-15-2017 03:51 PM

I've got a picture of the GUI for the input here:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez

It's set to come from a report, that's scheduled to run daily. The report should kick out all of the hostnames currently in production.

0 Karma
Reply

rjthibod
Champion
‎02-15-2017 04:19 PM

First, try making fieldforLabel and fieldForValue unique between the two searches. You can disregard my earlier comment about base searches and the SID. I thought you were doing something else.

Also, reports are usually tied to a visualization. The report should be identifiable as a savedsearch, which means you can use the savedsearch command and rename the host fields to be unique. In the example below, I assume your report can be found as the saved search labelled "Prod Boxes". Change that in my example if it is found via a different name.

     <input type="dropdown" token="server1" searchWhenChanged="true">
       <label>Server 1</label>
       <search>| savedsearch "Prod Boxes" | rename host as host1</search>
       <fieldForLabel>host1</fieldForLabel>
       <fieldForValue>host1</fieldForValue>
     </input>
     <input type="dropdown" token="server2" searchWhenChanged="true">
       <label>Server 2</label>
       <search>| savedsearch "Prod Boxes" | rename host as host2</search>
       <fieldForLabel>host2</fieldForLabel>
       <fieldForValue>host2</fieldForValue>
     </input>
0 Karma
Reply

EricWehrly
Engager
‎02-16-2017 02:16 PM

This would be great. Awesome suggestions.

Unfortunately for me, if I tweak it to match that, I get "node is not allowed here" and the inputs don't populate.

0 Karma
Reply

rjthibod
Champion
‎02-16-2017 02:48 PM

Where do you see "node is not allowed here"?

Also, what version of Splunk are you running?

0 Karma
Reply

EricWehrly
Engager
‎02-20-2017 01:21 PM

I see it in the dashboard XML editor.

I'm running Splunk Cloud 6.5.1

0 Karma
Reply

rjthibod
Champion
‎02-21-2017 01:13 AM

You probably need to check that all of your XML is valid. Can you post all of your XML or double-check it in an XML validator in a text editor or online.

0 Karma
Reply

rjthibod
Champion
‎02-15-2017 04:21 PM

As a side note, this sounds like a scenario you could populate a lookup in a savedsearch, and then use the lookup to populate these inputs and the report. I do that in my own app for something like this. That way, the lookup's content persist even if you Splunk goes down or the TTL on the search expires.

0 Karma
Reply

nickhills
Ultra Champion
‎02-15-2017 11:40 AM

Take a look here http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Viz/Savedsearches

Your on the right track - you can use saved searches so that the heavy lifting has occurred before you load the dashboard.

You can also load a single search for the dashboard and then post process the results (depending on the search commands your panels use)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎02-15-2017 11:46 AM

The link above is for SplunkCloud (which you tagged) but the Splunk Enterprise version (which I think is a bit more comprehensive) is: http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches

If my comment helps, please give it a thumbs up!
0 Karma
Reply

EricWehrly
Engager
‎02-15-2017 01:49 PM

Right now I'm following what's outlined in http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Reference_a_search_from_a_report and have two inputs with the same search ref to a report ... however, when I clean my jobs in the manager and refresh the dashboard, I get one entry per input (so two inputs runs the search two times, etc.)

Both of the inputs look like this when referencing the same report:
https://coxautoinc.box.com/s/mf074qitxcm2dzlhbpfz5d1ge7szh3ez

(I'm having a heck of a time getting an image on here so the link will just have to do)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...