Dashboards & Visualizations

newbie to advanced XML - text input + single search with multiple panels and post processing

brettcave
Builder

I have decided to get my hands dirty with advanced XML, and have found the UI Examples app to be very helpful, as well as the Use one search for a whole dashboard helpful. however, I am battling to get a text input parameter to pull through as a filter on the primary hidden search. Here's what I am trying to do, and the XML below that I have so far:

Objective: have a text input that is used in a filter of a hidden search, with post processing that populates various results.

XML:

<module name="TextSetting" layoutPanel="panel_row1_col1">
    <param name="elementName">modUserId</param>
    <param name="label">User ID</param>
    <param name="settingName">userId</param>

    <module name="HiddenSearch"  layoutPanel="panel_row2_col1" autoRun="False">
        <param name="search">
            index="main" eventtype="UserAuthentication"
            | eval someField=$target$ | eval someField=if(isnull(someField),"someFieldNull",someField)
            | eval otherField=$userId$ | eval otherField=if(isnull(otherField),"otherFieldNull",otherField)
            | stats count by UserID someField otherField
        </param>

        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1"></module>

        <module name="HiddenPostProcess" layoutPanel="panel_row2_col2_grp1">
            <param name="search">
                stats dc(UserID)
            </param>
            <module name="SimpleResultsTable"></module>
        </module>
    </module>        
</module>

How do I get the text input through to the hiddenSearch? I have tried $modUserId$, $userId$ and $target$, but not going through as I want.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

In the core advanced XML you need to read up on 'intentions'. The TextSetting module outputs only a simple key, and in just the core XML simple keys cannot be substituted into $foo$ tokens in the HiddenSearch. You need to first use a ConvertToIntention module to convert it to a stringreplace intention.

Or you could use the ExtendedFieldSearch module instead of TextSetting, because ExtendedFieldSearch, while its config is a lot more complicated, at least can output the stringreplace intention directly.

But what I really recommend is that you go to Sideview Utils. I have a 10minute demo here:
http://www.youtube.com/watch?v=9UTiJ65tlmY

and one of the things I go through in the demo, is how if you're going to switch to the Advanced XML, you should just jump then and there to using Sideview Utils rather than try and survive with just the core advanced XML. You can also read some testimonials from other Splunk users.

Converted to use Sideview modules, your config would look like:

<module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
  <param name="name">userId</param>
  <param name="label">User ID</param>
  <param name="template">| eval otherField=$value$ | eval otherField=if(isnull(otherField),"otherFieldNull",otherField)

  <module name="Search"  layoutPanel="panel_row2_col1">
    <param name="search">
        index="main" eventtype="UserAuthentication"
        | eval someField="$target$" | eval someField=if(isnull(someField),"someFieldNull",someField)
        $userId$
        | stats count by UserID someField otherField
    </param>

    <module name="Pager">
      <module name="Table" ></module>
    </module>

    <module name="PostProcess" layoutPanel="panel_row2_col2_grp1">
      <param name="search">
            stats dc(UserID)
      </param>
      <module name="Table"></module>
    </module>
  </module>        
</module>

Note, that just in this small example, there are the following benefits of using Sideview Utils

1) No intentions. Dont need them,
2) If you ever need to paginate a table when there's a postprocess search, the Pager will do it correctly and the Splunk Paginator module will draw the wrong number of page links
3) the Sideview TextField module has a template param so that if the field is left empty there wont be a syntax error.
4) If you need to do simple $foo$ substution into a postprocess search, the Sideview PostProcess module can do it, and the Splunk HiddenPostProcess cannot, with or without intentions.

This is in addition to a lot of other benefits that the Table and TextField modules have. But you can read about all of it in the Sideview Utils documentation, contained within the app itself after you install it and restart Splunk.

http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

In the core advanced XML you need to read up on 'intentions'. The TextSetting module outputs only a simple key, and in just the core XML simple keys cannot be substituted into $foo$ tokens in the HiddenSearch. You need to first use a ConvertToIntention module to convert it to a stringreplace intention.

Or you could use the ExtendedFieldSearch module instead of TextSetting, because ExtendedFieldSearch, while its config is a lot more complicated, at least can output the stringreplace intention directly.

But what I really recommend is that you go to Sideview Utils. I have a 10minute demo here:
http://www.youtube.com/watch?v=9UTiJ65tlmY

and one of the things I go through in the demo, is how if you're going to switch to the Advanced XML, you should just jump then and there to using Sideview Utils rather than try and survive with just the core advanced XML. You can also read some testimonials from other Splunk users.

Converted to use Sideview modules, your config would look like:

<module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
  <param name="name">userId</param>
  <param name="label">User ID</param>
  <param name="template">| eval otherField=$value$ | eval otherField=if(isnull(otherField),"otherFieldNull",otherField)

  <module name="Search"  layoutPanel="panel_row2_col1">
    <param name="search">
        index="main" eventtype="UserAuthentication"
        | eval someField="$target$" | eval someField=if(isnull(someField),"someFieldNull",someField)
        $userId$
        | stats count by UserID someField otherField
    </param>

    <module name="Pager">
      <module name="Table" ></module>
    </module>

    <module name="PostProcess" layoutPanel="panel_row2_col2_grp1">
      <param name="search">
            stats dc(UserID)
      </param>
      <module name="Table"></module>
    </module>
  </module>        
</module>

Note, that just in this small example, there are the following benefits of using Sideview Utils

1) No intentions. Dont need them,
2) If you ever need to paginate a table when there's a postprocess search, the Pager will do it correctly and the Splunk Paginator module will draw the wrong number of page links
3) the Sideview TextField module has a template param so that if the field is left empty there wont be a syntax error.
4) If you need to do simple $foo$ substution into a postprocess search, the Sideview PostProcess module can do it, and the Splunk HiddenPostProcess cannot, with or without intentions.

This is in addition to a lot of other benefits that the Table and TextField modules have. But you can read about all of it in the Sideview Utils documentation, contained within the app itself after you install it and restart Splunk.

http://sideviewapps.com/apps/sideview-utils

0 Karma

brettcave
Builder

ok. that took about 10 - 15 minutes to sell me on Sideview. Understanding of splunk: +10 through going through some of the util examples. I don't have the final solution yet, but can see the approach and I'm sure I'll have it up today (2 days wasted in advanced xml so far).

0 Karma

brettcave
Builder

thanks dmaislin, haven't had a chance to test yet, will hopefully be able to install and start working with sideview next week (I think this is the 3rd response that recommends it, so definitely something I think we would benefit from).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...