- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- HiddenPostProcess vs PostProcess ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the difference between Splunk's HiddenPostProcess and Sideview Utils PostProcess ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.
Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).
You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.
NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.
Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).
You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.
NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
