Dashboards & Visualizations

Post Process Searches in Dashboard Studio

nathanielchin
Loves-to-Learn Lots

How can I implement a post process search using the Dashboard Studio framework? 

I can see that there is excellent documentation for doing this XML (Searches power dashboards and forms - Splunk Documentation), but I can't seem to find relevant information for how to do this in the markdown for Dashboard Studio. Note: I am not attempting to use a savedSearch.

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nathanielchin ,

as @ITWhisperer said, in Dashboard Studio there isn't the Post process Search feature, but it's available a very near feature called "chained searches".

In other words, you have to create your base search and then create the other searches starting from the base search, chaining the new search to it.

For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/dsChain 

Ciao.

Giuseppe

0 Karma

nathanielchin
Loves-to-Learn Lots

I'm familiar with "Chain Searching" - however, when chain searches execute, they also refresh the base search as well as all of the other linked chain searches. This is great for its use case.

However, what I'm intending to do is have a base result set that I can then execute further queries/filters against to display filtered data without having to refresh/re-execute the base search.

Similar to as if I were to use loadjob. The reason I can't use loadjob currently is because I cannot set the base search as a saved search, so I'm looking for a way around this. I also don't quite know how/if it's possible to implement loadjob <sid> into my dashboard based on a sid from another table within the dashboard.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Set your primary data source to a search like this

|  loadjob $<data source which loads your saved search>:job.sid$

The primary search which loads your saved search need to allow access to  its metadata e.g.

ITWhisperer_0-1724856735869.png

 

0 Karma

nathanielchin
Loves-to-Learn Lots

nathanielchin_0-1724862764462.png

This is the result of the snippet I posted.

0 Karma

nathanielchin
Loves-to-Learn Lots

I don't have a "saved search" for this query, unfortunately, as I'm not yet able to make an actual "saved search".

Just trying to perform some filtering on the results of a search made within the dashboard without reloading the search.

I've attempted what I think it is that you're proposing, but the "PostProcessTable"/"PostProcessSearch", which is supposed to load the job from the "BaseTable"/"BaseSearch" is not loading. Instead, it notes reads, "Waiting for input...". 

I will note that I am on Splunk version 9.0.4, and the switch you pointed out "Access search results or metadata" reads as "Use search results or job status as tokens" in my version of Dashboard Studio. I'm not sure if the issue is:

  • my version of splunk being 9.0.4
  • the fact that I'm not using a saved search
  • or I'm implementing your proposal incorrectly (very very possible)

See example snippet below:

 "visualizations": {
"viz_A2Ecjpct": {
"type": "splunk.table",
"dataSources": {
"primary": "ds_fpJiS8Hp"
},
"title": "BaseTable"
},
"viz_Ok7Uvz2b": {
"type": "splunk.table",
"title": "PostProcessTable",
"dataSources": {
"primary": "ds_q4BDo5Wr"
}
}
},
"dataSources": {
"ds_fpJiS8Hp": {
"type": "ds.search",
"options": {
"query": "| makeresults count=5",
"queryParameters": {
"earliest": "-15m",
"latest": "now"
},
"enableSmartSources": true
},
"name": "BaseSearch"
},
"ds_q4BDo5Wr": {
"type": "ds.search",
"options": {
"query": "| loadjob $ds_fpJiS8Hp:job.sid$",
"enableSmartSources": true
},
"name": "PostProcessSearch"
}
},

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean chained searches?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...