Documentation > Splunk > Developing Dashboards, Views, and Apps for Splunk Web > Use one search for a whole dashboard

Developing Dashboards, Views, and Apps for Splunk Web

 


Overview
Build dashboards
Build forms
Build advanced views
Customize Splunk Web
Build apps
Build scripted inputs
Extend Splunk
View reference material
Custom charting configuration reference

Use one search for a whole dashboard

Contents

Use one search for a whole dashboard

Sometimes you end up with a dashboard running various searches that are very similar. You can save search resources by creating a dashboard in Advanced XML that feeds all downstream panels with one single search. This topic shows how to use one base search for a dashboard, and use the HiddenPostProcess module to process the search differently for each panel.

The HiddenPostProcess module allows you to reformat reporting results from a search. When you use post process, the base search must be a reporting search. Post process allows you to reformat reporting results from the search. This means you can create tables and charts according to specific criteria. For example, you can create various tables that are sorted on different columns, hide some columns, or filter rows that match some criteria. You can also do further aggregation on the original report.

Note: Post process does not work for all modules. Currently it is supported for SingleValue, SimpleResultsTable, EventsViewer, and FlashChart. It is not supported in MultiFieldViewer, ResultsHeader, SimpleResultsHeader, FlashTimeline and SuggestedFieldViewer.
Caution: Only use post process on a base search that is a reporting search. You can mangle your results if you do not construct your base search correctly. Some primary reporting commands are:
  • chart
  • top
  • rare
  • stats
"Use reporting commands" in the User manual provides additional reporting commands with examples.

Construct your base search

When you build your base search, it is tempting to build a simple search that you pipe to the post process search in downstream panels. However, this does not work. Downstream panels must know about the fields you want to do statistics on so you must include these fields in the initial search. For example, if you intend to do any count of the fields IP, user, series, and host, you need to explicitly include these fields in the base search. Then later the post process searches have all the information to process the search.

For example, a good base search typically includes these clauses at the end of the search query: 

| bin _time span=5min | stats count by series, eps, kb, kbps, _time

The stats count with the various group-by clauses is important. Without these specified in the search you lose the benefits of map-reduce in distributed search. You also subject results to some truncation at 10,000 rows.

The bin command further optimizes the base search so instead of one row per timestamp you have one aggregate row per 5 minute bucket. The following examples show various ways to post process a single search.

Add chrome

First, add the chrome and nav for your view: 

<view template="dashboard.html">
  <label>Using postProcess on dashboards</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>
  . . .
</view>

Add the base search

You can use a base search for a view with HiddenSearch or HiddenSavedSearch modules. To save even more search resources, you can use a HiddenSavedSearch that is run on a schedule. The HiddenSearch module is open in this example to add child modules for post process on each panel.

Note: Be careful crafting your search – you need the results to include all fields on which you may want to run statistics. 
. . .
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">
    index=_internal source=*metrics.log group=per_sourcetype_thruput  
    | bin _time span=5min | stats count by series, eps, kb, kbps, _time
  </param>
  <param name="earliest">-6h</param>
   . . .
   <!-- Add post process modules -->
  . . .

Post process a search

Use the HiddenPostProcess module to process the results from your base search and feed into a results module. For example, this panel displays search results in a SingleValue module: 

<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1">
  <param name="search">
    dedup series | stats count | rangemap field=count
    low=0-29 elevated=30-99 high=100-500 severe=501-10000 default=low
  </param>
  
    <module name="SingleValue">
      <param name="field">count</param>
      <param name="afterLabel"> sourcetypes</param>
      <param name="classField">range</param>
    </module>
    
</module>

More SingleValue modules

The following example shows two additional SingleValue modules with different post process searches. 

<module name="HiddenPostProcess"
        layoutPanel="panel_row2_col1_grp2">
  <param name="search">
    stats avg(eps) | rangemap field=avg(eps)
    low=0-999 elevated=1000-10000 high=10000-100000 severe=100000-10000000
  </param>
  
    <module name="SingleValue">
      <param name="field">avg(eps)</param>
      <param name="afterLabel">avg eps</param>
      <param name="classField">range</param>
      <param name="format">decimal</param>
    </module>
    
</module>

<module name="HiddenPostProcess"
        layoutPanel="panel_row2_col1_grp3">
  <param name="search">
    stats sum(kb) | rename sum(kb) as K | eval MB=K/1024
    | rangemap field=MB low=0-99.99 elevated=100-499.99
    high=500-4999.99 severe=5000-100000
  </param>
  
    <module name="SingleValue">
      <param name="field">MB</param>
      <param name="afterLabel">MB</param>
      <param name="classField">range</param>
    </module>
    
</module>

Display post process searches in a chart

The following post process searches display results in a chart, using the HiddenChartFormatter and FlashChart modules. 

<module name="HiddenPostProcess"
        layoutPanel="panel_row3_col1">
  <param name="search">timechart avg(eps)</param>
  
    <module name="HiddenChartFormatter">
      <param name="chart">line</param>
      <param name="primaryAxisTitle.text">time</param>
      <param name="secondaryAxisTitle.text">overall eps</param>
      <param name="legend.placement">none</param>
      
        <module name="FlashChart">
          <param name="width">100%</param>
          <param name="height">400px</param>
        </module>
        
    </module>
    
</module>

<module name="HiddenPostProcess"
        layoutPanel="panel_row3_col2">
  <param name="search">
    chart sum(kb) over series | rename sum(kb) as k | eval MB=k/1024
  </param>
  
    <module name="HiddenChartFormatter">
      <param name="chart">bar</param>
      <param name="primaryAxisTitle.text">sourcetype</param>
      <param name="secondaryAxisTitle.text">MB</param>
      <param name="legend.placement">none</param>
      
        <module name="FlashChart">
          <param name="width">100%</param>
          <param name="height">400px</param>
        </module>
        
    </module>
    
</module>
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/Developer/PostProcess"

This documentation applies to the following versions of Splunk: 4.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.