Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use one search for a whole dashboard

Sometimes you end up with a dashboard running various searches that are similar. You can save search resources by creating a dashboard in advanced XML that feeds all downstream panels with one single search. This topic shows how to use one base search for a dashboard, and use the HiddenPostProcess module to process the search differently for each panel.

HiddenPostProcess module

You can pass events or results to a post process search. However, Splunk recommends that you use a reporting search that passes results. The Post process search example provides an example of how to construct a data cube with your search, and pass results for post processing.

Post process limitations

Be aware of the following limitations when using post process.

A post process search has an unconfigurable limit of 10,000 raw events that can be passed to it. Events in excess of this 10,000 event limit are not processed and silently ignored, resulting in incomplete data reported for the post process search.

Passing a large number of search results from a data cube to a post process search can cause a server time out. In this scenario, consider the following:

  • The number of results and fields returned from the base search.
  • The complexity of the post process operations on these results.

If the post-processing operation takes too long, it can exceed Splunk Web client’s non-configurable timeout value of 30 seconds. This can result in a timeout due to an unresponsive splunkd daemon/service.

About the base search

Post process is best to use for stats instead of collecting raw events. It allows you to reformat reporting results from the search. This means you can create tables and charts according to specific criteria. For example, you can create different visualizations and reports from the same data set. You can also do further aggregation on the original report.

Only use post process on a base search that is a reporting search. You can mangle your results if you do not construct your base search correctly. Splunk recommends that you use summary indexing commands in the base search. This facilitates building the post process searches. Some examples of summary indexing search commands are:

  • sistats
  • sitimechart
  • sitop
  • sichart
  • sirare

Note: You can also use primary reporting commands, such as stat, timechart, top, chart, and rare. But the summary index equivalents provide more flexibility for post process searches.

For more information see Use summary indexing for increased reporting efficiency and Use reporting commands.

Display results of a post process search

Modules that support the display of results from a post process search:

  • SingleValue
  • SimpleResultsTable
  • EventsViewer
  • JSChart
  • FlashChart

Modules not supported for display of post process results:

  • MultiFieldViewer
  • ResultsHeader
  • SimpleResultsHeader
  • FlashTimeline
  • SuggestedFieldViewer.

Post process search example

Construct your base search

For the base search, Splunk recommends that you build a data cube using a reporting command that produces results that can be easily repurposed by post process searches.

The following search reports event size (min, avg, max) by source and sourcetype for the _internal index:

Base search

index=_internal | eval event_size=len(_raw) | sistats count min(event_size) avg(event_size) max(event_size) by source sourcetype

The sistats count with the various group-by clauses is important. Without these specified in the search you lose the benefits of map-reduce in distributed search.

Base searches that return raw events

When you build your base search, it is tempting to build a simple search that feeds raw events to the post process searches in downstream panels. However, this does not work. The sheer number of raw events in this type of search can easily surpass the 10,000 event limit that can be passed to a post process search.

Caution: Base searches that return in excess of 10,000 raw event can result in incomplete results passed to the post process search. See Post process limitations.

Base searches that return an overwhelming number of results

It is also tempting to build a search that returns an overwhelming number of results and fields. This can cause the server to time out during the post process search. Be careful when constructing the base search and the complexity of operations during post process.

Add chrome

First, add the chrome and nav for your view:

<view template="dashboard.html">
  <label>Post process examples</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  . . .

Add the base search

Use the HiddenSearch or HiddenSavedSearch modules to specify the base search.

. . .
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">
   index=_internal | eval event_size=len(_raw) | sistats count min(event_size) avg(event_size) max(event_size) by source sourcetype
   . . .
   <!-- Add post process modules -->
  . . .

Post process a search

Use the HiddenPostProcess module to process the results from your base search and feed into a results module. For example, this panel displays search results in a SingleValue module:

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1"
      group="Post process as single value">
  <param name="search">
    | stats count

  <module name="SingleValue">
    <param name="field">count</param>
    <param name="afterLabel"> events</param>
    <param name="classField">range</param>

This panel displays maximum event size by source in a bar chart:

<module name="HiddenPostProcess"
        layoutPanel="panel_row1_col2" group="Post process as bar chart">
    <param name="search">
      | stats avg(event_size) by sourcetype
    <module name="HiddenChartFormatter">
      <param name="chart">bar</param>
      <param name="primaryAxisTitle.text">Source type</param>
      <param name="secondaryAxisTitle.text">Average event size</param>
      <param name="legend.placement">none</param>
      <module name="JSChart">
        <param name="width">100%</param>
        <param name="height">200px</param>

This panel displays event count per sourcetype in a pie chart:

<module name="HiddenPostProcess"
        layoutPanel="panel_row1_col3" group="Post process as pie chart">

    <param name="search">
      | stats count by sourcetype
    <module name="HiddenChartFormatter">
      <param name="chart">pie</param>
      <param name="chartTitle">Event count by sourcetype</param>
      <module name="JSChart">
        <param name="width">100%</param>
        <param name="height">200px</param>

Example dashboard with post process searches

The following dashboard shows the results of the post process searches listed above.

Dashboard with post process searches

Use lookups with a view
Customization options

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Add a title: In your module tag, add a "group" attribute. The attribute's value will appear as a title.

October 18, 2012

Concur with Matthewcanty, it would be great to see documentation on how to add a title to a chart. Just a link to chart options would help.

October 18, 2012

How do you add a title?

July 17, 2012

It looks like the HiddenSearch does not work in the following workflow: HiddenSearch -> Paginator -> SearchLinkLister. The SearchLinkLister does not notice the results from the HiddenSearch. Thats pity because i would like to speed up a dashboard with many searches over sourcetypes with the same base search over the metadata.

February 27, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters