Hello,
I was wondering if anyone have successfully done a chain of postprocesses?
I'm using the django template {% postprocess ... %} but if I try to chain two or three postprocesses, I get wrong results. Here is below a very simple example, where I'm expecting the table4 to show a stats table but this is not the case. Any work around for this?
{% block content %}
{% table id="table1" managerid="search1" pageSize="10" %}
{% table id="table2" managerid="postproc1_1" pageSize="10" %}
{% table id="table3" managerid="postproc2" pageSize="10" %}
{% table id="table4" managerid="postproc3" pageSize="10" %}
{% endblock content%}
{% block managers %}
{% searchmanager
id="search1"
search="index=_internal | head 1000 | fields - _raw | fields sourcetype"
earliest_time="-4h@h"
latest_time="now"
cache=False
preview=False
exec_mode="blocking" %}
{% postprocessmanager
id="postproc1"
managerid="search1"
search="search sourcetype=splunk*" %}
{% postprocessmanager
id="postproc1_1"
managerid="postproc1"
search=" search sourcetype!=splunkd | stats count as total by sourcetype" %}
{% postprocessmanager
id="postproc2"
managerid="postproc1"
search="search sourcetype=splunkd | stats count by sourcetype" %}
{% postprocessmanager
id="postproc3"
managerid="postproc1_1"
search="search sourcetype=splunk* " %}
{% endblock managers %}
Regards,
Olivier
Tried to do it just now with javascript and basically you can't chain it because the postprocessmanager doesn't have the same functionality as the searchmanager.
Really bad Splunk Design, as this it's very inefficient to keep having to access the data from the searchmanager.