Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pipe automatically added to search

helmekkaoui
New Member
‎11-15-2019 05:49 AM

Hello Splunkers,

I am using a DataModel on lot of the Dahsboards that I have, so, the searchs created behind are using < |pivot ... >
In order to optimize the Dashboard I thought of using a base search that will use the first and common part of the pivot search and then on each panel call this base search and add a SPLITCOL part so soemthing like this : 

<search id="basic_search">
    <query> | pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 
    </query>  
</search>

<search base="basic_search">
          <query> SPLITCOL Type</query>
</search>

The problem with that is that when I get back to the UI mode of the dashboard I notice the the search isnt working because there is a | that is added between the basic_search and the other query so it is something like that : 

 |pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | SPLITCOL Type

What I want is : 

 |pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 SPLITCOL Type

Can someone help me ?

Many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gaurav_maniar
Builder
‎11-15-2019 07:02 AM

Hi,

The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.

You can achieve this by including default token initialization, add any where outside row elements,

<init>
    <set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>

Now use it in your panel queries,

<row>
    <panel>
        <table>
            <search>
                <query>$base_search$ SPLITCOL Type</query>
                <earliest></earliest>
                <latest></latest>
            </search>
        </table>
    </panel>
</row>

accept the answer if it helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gaurav_maniar
Builder
‎11-15-2019 07:02 AM

Hi,

The concept of Base Search is to load the search on the dashboard loading and use it multiple times.
Splunk will pass the results of the base search to the next search, not the query. So you can add eval, stats or any other command to manipulate the data but you can edit or append to the existing base query.

You can achieve this by including default token initialization, add any where outside row elements,

<init>
    <set token="base_search">| pivot shopping_reshaping Test FILTER field1 is "value1"  count(Code) AS "Count of Codes" SPLITROW _time AS _time PERIOD auto  SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1</set>
<init>

Now use it in your panel queries,

<row>
    <panel>
        <table>
            <search>
                <query>$base_search$ SPLITCOL Type</query>
                <earliest></earliest>
                <latest></latest>
            </search>
        </table>
    </panel>
</row>

accept the answer if it helps.

0 Karma
Reply
Solved! Jump to solution

helmekkaoui
New Member
‎11-15-2019 08:23 AM

I will try this, thank you !

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎11-15-2019 06:50 AM

The base search is executed first, then the queries of the various panels are performed to post-process the results of the base search within each panel. So you base search needs to work on its own and a panel's query can only add additional commands to post-process the results of the base search.

0 Karma
Reply
Solved! Jump to solution

helmekkaoui
New Member
‎11-15-2019 06:54 AM

the base search works fine on its own if only the panel's query can be added to it without adding that pipe

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎11-15-2019 07:29 AM

But that panel's query you have is not a separate search command that post-processes the results of the base search. It is not like the base search string is glued together with the panel query string and then executed as 1 search. The base search is executed separately and the results passed to into each panel query. So a panel query must consist of post-processing commands.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...