Documentation > Splunk > Developing Dashboards, Views, and Apps for Splunk Web > How to use one search for a whole dashboard

Developing Dashboards, Views, and Apps for Splunk Web

 


Overview
Build dashboards
Build forms
Build advanced views
Customize Splunk Web
Build apps
Extend Splunk
View reference material
Custom charting configuration reference

How to use one search for a whole dashboard

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How to use one search for a whole dashboard

Sometimes you end up with a dashboard running lots of different searches that are very similar. You can save search resources by creating an advanced dashboard that feeds all downstream panels with one single search. Read on to learn how to use one base search for a dashboard, and postProcess to process the search differently for each panel.

Post process allows you to reformat reporting results from a search. When you use post process, the base search must be a reporting search. Post process allows you to reformat reporting results from the search. This means you can create tables and charts according to specific criteria. For example, you can create various tables that are sorted on different columns, hide some columns, or filter rows that match some criteria. You can also do further aggregation on the original report.

Note: Only use post process on a base search that is a reporting search. Post process does not work for all modules. Currently it is supported for SingleValue, SimpleResultsTable, EventsViewer, and FlashChart. It is not supported in MultiFieldViewer, ResultsHeader, SimpleResultsHeader, FlashTimeline and SuggestedFieldViewer.

Construct your base search

CAUTION: You can mangle your results if you do not construct your base search correctly. Do not use post process to generate reports when the base search is not a reporting search. Please read this topic carefully.

When you build your base search, it may be tempting to just build a simple search that you'll pipe to the post process search in your downstream panels. However, this will not work. Downstream panels must know about all the fields you wish to do statistics on, and so you must include all these fields in your initial search. For example, if you intend to do any count of the fields IP, user, series and host, you'll need to explicitly include these fields in your base search. Then later your postProcess searches will have all the raw materials they need.

For example, a good base search will include these clauses on the end: | bin _time span=5min | stats count by series, eps, kb, kbps, _time

The stats count with the various group-by clauses is the important part. Without that there you lose the benefits of map-reduce in distributed search and you will also be subject to some truncation at 10,000 rows. The bin command further optimizes the base search so that we don't have one row per timestamp, but one aggregate row per 5 minute bucket. Check out all the stuff on this page that we're able to do from just one search.

Add chrome

First, add the chrome and nav for your view: 

<view template="dashboard.html">
  <label>Using postProcess on dashboards</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

Add the base search

You can use a base search for a view with HiddenSearch or HiddenSavedSearch. To save even more search resources, you can use a HiddenSavedSearch that is being run on a schedule. Be very careful crafting your search, as you will need the results to include all fields that you may want to run statistics on. 

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput  | bin _time span=5min | stats count by series, eps, kb, kbps, _time</param>
  <param name="earliest">-6h</param>

Note that we've left the HiddenSearch module open so we can add more children on with each panel.

Post process the search

Use the HiddenPostProcess module to process the results from your base search, and feed into a results module. For example, this panel displays search results in a SingleValue module: 

<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1">
  <param name="search">dedup series | stats count | rangemap field=count low=0-29 elevated=30-99 high=100-500 severe=501-10000 default=low</param>
     <module name="SingleValue">
       <param name="field">count</param>
       <param name="afterLabel"> sourcetypes</param>
       <param name="classField">range</param>
     </module>
</module>

Here's another couple SingleValue modules with different post process searches. 

<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2">
  <param name="search">stats avg(eps) | rangemap field=avg(eps) low=0-999 elevated=1000-10000 high=10000-100000 severe=100000-10000000</param>
    <module name="SingleValue">
      <param name="field">avg(eps)</param>
      <param name="afterLabel">avg eps</param>
      <param name="classField">range</param>
      <param name="format">decimal</param>
    </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp3">
  <param name="search">stats sum(kb) | rename sum(kb) as K | eval MB=K/1024 | rangemap field=MB low=0-99.99 elevated=100-499.99 high=500-4999.99 severe=5000-100000</param>
    <module name="SingleValue">
      <param name="field">MB</param>
      <param name="afterLabel">MB</param>
      <param name="classField">range</param>
    </module>
</module>

Here are some post process searches that display results in chart, using a HiddenChartFormatter and FlashChart. 

<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
  <param name="search">timechart avg(eps)</param>
    <module name="HiddenChartFormatter">
      <param name="chart">line</param>
      <param name="primaryAxisTitle.text">time</param>
      <param name="secondaryAxisTitle.text">overall eps</param>
      <param name="legend.placement">none</param>
        <module name="FlashChart">
          <param name="width">100%</param>
          <param name="height">400px</param>
        </module>
    </module>
</module>


<module name="HiddenPostProcess" layoutPanel="panel_row3_col2">
  <param name="search">chart sum(kb) over series | rename sum(kb) as k | eval MB=k/1024</param>
    <module name="HiddenChartFormatter">
      <param name="chart">bar</param>
      <param name="primaryAxisTitle.text">sourcetype</param>
      <param name="secondaryAxisTitle.text">MB</param>
      <param name="legend.placement">none</param>
        <module name="FlashChart">
          <param name="width">100%</param>
          <param name="height">400px</param>
        </module>
    </module>
</module>
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Developer/PostProcess"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!