Databases Reference
In-Depth Information
There are several other form elements available, with many options to customize
their behavior. To find the official documentation, search
splunk.com
for
Build
and edit forms with simple XML
.
There are also many useful examples in the documentation and in the
UI Examples
app (see the
UI Examples app
section, earlier in this chapter).
Post-processing search results
You may have noticed that, in our previous example, all of our queries started
with the same actual query:
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
It is of course wasteful to run the same query four times. Using
<searchPostProcess>
, we can run the query once and then run commands on
the results for each panel.
The first step is to move the initial query out of the panel to the top level of the XML.
The results from
<searchTemplate>
will be used by a panel if it has no query of its
own or will be used as the source for
<searchPostProcess>
.
One additional piece of information is needed—the fields that are needed by the
panels. We can get this by using
table
, like so:
<?xml version='1.0' encoding='utf-8'?>
<form>
<searchTemplate>
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
| table _time _raw network req_time logger
</searchTemplate>
table
mandates what fields will be passed from this query.
_time
is needed
by the
timechart
command.
_raw
is used by the events listing panel at the
bottom.
network
,
req_time
, and
logger
are used in the
by
clauses of each
panel, respectively.
Let's edit our dashboard XML accordingly.
<?xml version='1.0' encoding='utf-8'?>
<form>
<label>Errors User Form PostProcess</label>
<searchTemplate>
Search WWH ::
Custom Search