Splunk Dev

postprocess chaining - multiple postprocess searches

OL
Communicator

Hello,

I was wondering if anyone have successfully done a chain of postprocesses?

I'm using the django template {% postprocess ... %} but if I try to chain two or three postprocesses, I get wrong results. Here is below a very simple example, where I'm expecting the table4 to show a stats table but this is not the case. Any work around for this?

{% block content %}
    {% table id="table1" managerid="search1" pageSize="10" %}
    {% table id="table2" managerid="postproc1_1" pageSize="10" %}
    {% table id="table3" managerid="postproc2" pageSize="10" %}
    {% table id="table4" managerid="postproc3" pageSize="10" %}
{% endblock content%}

{% block managers %}
    {% searchmanager
        id="search1"
        search="index=_internal | head 1000 | fields - _raw | fields sourcetype"
        earliest_time="-4h@h"
        latest_time="now"
        cache=False
        preview=False
        exec_mode="blocking" %}

    {% postprocessmanager
        id="postproc1"
        managerid="search1"
        search="search sourcetype=splunk*" %}

    {% postprocessmanager
        id="postproc1_1"
        managerid="postproc1"
        search=" search sourcetype!=splunkd | stats count as total by sourcetype" %}

    {% postprocessmanager
        id="postproc2"
        managerid="postproc1"
        search="search sourcetype=splunkd | stats count by sourcetype" %}

    {% postprocessmanager
        id="postproc3"
        managerid="postproc1_1"
        search="search sourcetype=splunk* " %}

{% endblock managers %}

Regards,
Olivier

svenwendler
Path Finder

Tried to do it just now with javascript and basically you can't chain it because the postprocessmanager doesn't have the same functionality as the searchmanager.

Really bad Splunk Design, as this it's very inefficient to keep having to access the data from the searchmanager.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...