How to drive multiple panels from one search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How to drive multiple panels from one search
You can use post process to have one search drive multiple outputs in a form.
When you use post process, the base search must be a reporting search. Post process allows you to reformat reporting results from the search. This means you can create tables and charts according to specific criteria. For example, you can create various tables that are sorted on different columns, hide some columns, or filter rows that match some criteria. You can also do further aggregation on the original report.
Caution: If the base search that you post process is not a search that generates reports, the results of the post process could be wrong. See How to use one search for a whole dashboard for more information on post processing searches.
Here are a few examples.
One search with multiple outputs
You can configure one search to drive multiple outputs. The following example has one base search that takes in one search term. This search then feeds into two separate searches that drive a table and a chart.
<form>
<label>Form search example 3 - inverted flow, panel-defined search</label>
<fieldset>
<!-- define a common form search input that will be used by all panels below -->
<input type="text" token="username">
<label>Global username</label>
<default>*</default>
<seed>claire</seed>
</input>
<input type="time" />
</fieldset>
<row>
<chart>
<title>Commits over time</title>
<searchTemplate>index=access_logs user="$username$" | timechart count</searchTemplate>
<option name="charting.chart">area</option>
</chart>
<table>
<title>Top files touched by the user</title>
<searchTemplate>index=access_logs user="$username$" | top filePath</searchTemplate>
</table>
</row>
</form>
The above form search will dispatch 2 separate searches, though each search will use the user-entered value provided in the fieldset section. The token attribute of each distinct search must match with at least one of the input nodes defined within the fieldset.
Single-search, multi-post process
This example can take a single search and display different facets of that search through post-processing. With this method, the previous example can be combined into 1 search:
<form>
<label>Form search example 4 - inverted flow, panel-defined post-process</label>
<!-- define a search that returns, in one result set, all of the data that is
needed by the subsequent panels -->
<searchTemplate>sourcetype=p4change OR sourcetype=jira user="$username$" | head 10000</searchTemplate>
<fieldset>
<input type="text" token="username">
<label>Global username</label>
<default>NON_EXISTENT</default>
<seed>johnvey*</seed>
</input>
<input type="time" />
</fieldset>
<row>
<chart>
<title>Commits over time</title>
<searchPostProcess>timechart count</searchPostProcess>
<option name="charting.chart">area</option>
</chart>
<table>
<title>Top files touched by the user</title>
<searchPostProcess>top filePath</searchPostProcess>
</table>
</row>
<row>
<table>
<title>Users vs changetype</title>
<searchPostProcess>ctable user changetype maxcols=4</searchPostProcess>
<option name="count">20</option>
</table>
<chart>
<title>Average lines added by the user</title>
<searchPostProcess>timechart avg(added)</searchPostProcess>
<option name="charting.chart">line</option>
<option name="charting.legend.placement">none</option>
</chart>
</row>
</form>
The searchPostProcess node inside each panel instructs the form search to take the final search results and rerun them through a separate search pipeline. The basic model is to have a base search seeded in the searchTemplate node that returns a report with a superset and/or finer grain data. The searchPostProcess nodes can then be used to further filter and/or aggregate the base report.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.