How to Utilize Post-Process Searches in Splunk Simple XML and HTML


It took me a while to figure out how to use a Post-Process Search in a Splunk Dashboard, so I thought it would be a good idea to remind my future self how it's done.

This is a Simple XML dashboard. It is essentially the same as the example in my last post. The full source code is attached to this post.

In order to use a Post Process search, only three changes are needed:

  1. Add a <searchTemplate> tag as a child of the <dashboard> or <form> tag. This tag should contain the base of your search.
  2. Add base="global" to the <search> tag for each panel that you want to use the Post Process search.
  3. Remove the first part of each query that is now included in the base query.

Example showing necessary changes to Simple XML dashboard