Dashboards & Visualizations

addcoltotals ignored in HiddenPostProcess ?

Alex_Megremis
Explorer

If I have

<module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls">
    <param name="search">index=myIndex 
            eventtype="EVENTS_TYPE_01" OR  
            eventtype="EVENTS_TYPE_02" OR
            eventtype="EVENTS_TYPE_03"
        | timechart span="1d" count(eventtype) by eventtype
        | addtotals rows=t cols=t</param>

it works as expected. I get a Total row and column on a table

However, if I do

<module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls">
    <param name="search">index=myindex01
            eventtype="EVENTS_TYPE_01" OR  
            eventtype="EVENTS_TYPE_02" OR
            eventtype="EVENTS_TYPE_03"
        | timechart span="1d" count(eventtype) by eventtype
    <module name="HiddenPostProcess">
        <param name="search"> | addtotals rows=t cols=t</param>

which I would be doing to avoid having the totals column mess up my chart's Y axis, for example, the Totals row isn't there. It's the same if I do

        <param name="search"> | addtotals | addcoltotals</param>

EDIT: The behaviour is exhibited even in a clean XML with a hierarchy of nothing but:

<module name="HiddenSearch">
    <module name="HiddenPostProcess">
        <module name="SimpleResultsTable">

Does anyone have any idea why this is, and how to fix it?

I vaaaaguely have a recollection of this being a known issue of some sort, but I'm probably wrong.

All help appreciated.

Thanks!

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

UPDATE: sorry in my earlier answer I missed the fact that the total column was being added correctly but it was just the row of totals at the bottom that was not.

There's an outside chance that the Paginator is just cutting it off. The Paginator module was never extended to support postProcess, so it may be requesting the data in such a way that the last row tacked on by postProcess gets ignored. Maybe throw a head and/or tail command in there to see if you can get it to appear, just to troubleshoot.

PREVIOUS ANSWER:

What's the search before the addtotals command? It's possible that the search is just a plain old events search. If that's the case then Splunk wont know at search time that it is expected to extract all the fields, so it will only extract fields that are referred to in the search terms.

Then at postprocess-time, the UI asks for the fields to be totalled up, but there arent any numeric fields so hence no total?

the pitfalls with postprocess are documented here http://www.splunk.com/base/Documentation/4.1.6/Developer/PostProcess and perhaps a bit easier to follow in the ui_examples app's view 'using postprocess with dashboards'.

At any rate, knowing at least what kind of search is the key to this question. It really should work fine.

Side Note: "autoRun=False" will do nothing and is exactly the same as leaving it undefined. Since it's dangerous to have more than one autoRun="True" in any single subbranch of the config I recommend deleting autoRun="False" whenever you see it.

0 Karma

Alex_Megremis
Explorer

I've edited the question to reflect this.

0 Karma

Alex_Megremis
Explorer

Thanks.

No - sadly the paginator doesn't seem to have any relation. I have cleaned up the XML so that the hierarchy contains only:

HiddenSearch
- HiddenPostProcess with addtotals or addcoltotals calls
- SimpleResultsTable

I still lose the column totals.

Any other ideas?

0 Karma

sideview
SplunkTrust
SplunkTrust

Ah! My apologies I read too fast. See updated answer.

0 Karma

Alex_Megremis
Explorer

Thanks for answering!

I have edited the question to reveal the structure of the search. All the resulting fields are numeric, apart from the date.

As I mentioned, I still get totals per row, but I lose the totals per column.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...