Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Can I use the hidden post-processing module in sim...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I use the hidden post-processing module in simple XML? Or is that only a feature of advance xml?
ashnet16
Path Finder
12-21-2014
03:47 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bandit
Motivator
02-23-2015
01:05 PM
I was having trouble with the documentation where the syntax seems to be different that than the Splunk 6.x Dashboard Examples. Possibly one is simple xml and the other is advanded xml? Anyways, I found the example mentioned by Martin in https://apps.splunk.com/app/1603/ much more helpful. I also found it helpful to string both searches together and test in the search app prior to trying to embed them into a dashboard as adding two tiers to your search slight changes the way you compute statistics.
3 searches before post process:
earliest=-60m latest=now index=_* | stats count by index
earliest=-60m latest=now index=_* | stats count by sourcetype
earliest=-60m latest=now index=_* | stats count by source
Failed attempt for search 1:
earliest=-60m latest=now index=_* | stats count by index sourcetype source | stats count by index
This it what I changed it to:
earliest=-60m latest=now index=_* | stats count by index sourcetype source | stats sum(count) as count by index
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/PostProcess
I created my own example dashboard as well:
<form>
<label>Hidden Post Process Search Test</label>
<description>Test using one base search to feed to feed multiple dashboard panels</description>
<search id="internal_data">
<query>earliest=-60m latest=now index=_* | stats count by index sourcetype source</query>
</search>
<row>
<panel>
<title>Index</title>
<chart>
<search base="internal_data">
<query>| stats sum(count) as count by index</query>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<title>Sourctype</title>
<chart>
<search base="internal_data">
<query>| stats sum(count) as count by sourcetype</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<title>Source</title>
<chart>
<search base="internal_data">
<query>| stats sum(count) as count by source</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</form>
Pasting the example from Splunk 6.x dashboard examples here:
<form>
<label>Post Process Search</label>
<description>Each panel post processes the base search through a separate search pipeline.</description>
<search id="internal_data">
<query>index=_internal | head 1000</query>
</search>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>-24h</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<chart>
<title>Events over Time</title>
<search base="internal_data">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes</title>
<search base="internal_data">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bandit
Motivator
03-01-2015
02:44 PM
Do you know if the ability to set/hide one or more base searches will be coming to the Splunk UI in a future version?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin_mueller
SplunkTrust
03-01-2015
12:32 PM
The AdvancedDev manual book refers to AdvancedXML, the SimpleXML reference is here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/PanelreferenceforSimplifiedXML#search and the documentation is here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Savedsearches#Post-process_searches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bandit
Motivator
03-01-2015
02:45 PM
Thanks, Martin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin_mueller
SplunkTrust
12-21-2014
03:53 PM
SimpleXML has its own post processing, grab the Splunk 6 Dashboard Examples app from https://apps.splunk.com/app/1603/ and take a look at the examples.
The basic idea is that you define a search tag somewhere and reference it from a second search tag, post processing the results from the first search using the second search.
Get Updates on the Splunk Community!
Detecting Remote Code Executions With the Splunk Threat Research Team
REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
