Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Drive multiple panels in a form

You can use post process to drive multiple panels in a search form. Post process allows you to reformat reporting results from the search. When you use post process, the base search must be a reporting search.

This means you can create tables and charts according to specific criteria. For example, you can create various tables that are sorted on different columns, hide some columns, or filter rows that match some criteria. You can also do further aggregation on the original report.

Caution: If the base search that you post process is not a search that generates reports, the results of the post process could be wrong.

See How to use one search for a whole dashboard for more information on post processing searches.

Use the same search in multiple panels

You can configure one search to drive multiple outputs. This example has one base search that takes in a single search term. It then drives two separate searches that contain tokens matching user-entered values in the fieldset of the form. These panels display the results in a table panel and a chart panel.

Note: The token attribute of each distinct search must match at least one of the input nodes defined within the fieldset.
<form>
  <label>Form search example - inverted flow, panel-defined search</label>

  <!-- Define a common form search input for the panels below -->
  <fieldset>
    <input type="text" token="username">
      <label>Global username</label>
      <default>*</default>
      <seed>claire</seed>
    </input>

    <input type="time" />

  </fieldset>

  <row>
    <chart>
      <title>Commits over time</title>
      <searchTemplate>
        index=access_logs user=$username$ | timechart count
      </searchTemplate>
      <option name="charting.chart">area</option>
    </chart>
    
    <table>
      <title>Top files touched by the user</title>
     <searchTemplate>
        index=access_logs user=$username$ | top filePath
     </searchTemplate>
      </table>
  </row>

</form>

Single-search, multi-post process

This example takes a single search and displays different facets of that search through post-processing. It combines the searches in the previous example into one search.

The form search returns one result set. The searchPostProcess node inside each panel takes the results and runs (post processes) them through a separate search pipeline.

The basic model is:

  1. Create a base search seeded in the searchTemplate node that returns a report with a superset of data.
  2. Create searchPostProcess nodes to filter or aggregate the base report.


<form>
  <label>Form search example - inverted flow, panel-defined post-process</label>

  <!-- Define a search that returns a single result set. -->
  <!-- The subsequent panels choose specific results to display -->
  <searchTemplate>
    sourcetype=p4change OR sourcetype=jira user=$username$ | head 10000
  </searchTemplate>

  <fieldset>
    <input type="text" token="username">
      <label>Global username</label>
      <default>NON_EXISTENT</default>
      <seed>johnvey*</seed>
    </input>
    <input type="time" />
  </fieldset>

  <row>
    <chart>
      <title>Commits over time</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">area</option>
    </chart>
    
    <table>
      <title>Top files touched by the user</title>
       <searchPostProcess>top filePath</searchPostProcess>
    </table>
  </row>

  <row>
    <table>
      <title>Users vs changetype</title>
      <searchPostProcess>ctable user changetype maxcols=4</searchPostProcess>
      <option name="count">20</option>
    </table>
  
    <chart>
      <title>Average lines added by the user</title>
      <searchPostProcess>timechart avg(added)</searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="charting.legend.placement">none</option>
    </chart>
  </row>

</form>
PREVIOUS
Create a dynamic form search using drop-downs
  NEXT
Form search examples

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

The last example shows how to make a common search for all the rows in the form and then specifying the search inside a panel with searchPostProcess.<br /><br />How can one use one common search inside a row with multiple panels? <br /><br />I've tried to put searchTemplate inside a row and then to use different searchPostProcess-es for each panel inside a row. But it didn't work out.

IKate
June 7, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters