It took me a while to figure out how to use a Post-Process Search in a Splunk Dashboard, so I thought it would be a good idea to remind my future self how it’s done.

This is a Simple XML dashboard. It is essentially the same as the example in my last post. The full source code is attached to this post.

In order to use a Post Process search, only three changes are needed:

1. Add a tag as a child of the or tag. This tag should contain the base of your search.
2. Add base=“global” to the tag for each panel that you want to use the Post Process search.
3. Remove the first part of each query that is now included in the base query.