Solved: s.o.s "view results" drilldown doesn't yield the s...

changwoo · ‎02-19-2014

i am trying to use the dashboard that sos app is supporting

when i click result i can get this search query



index=sos sourcetype="ps" host="SIS1-SERVER1"

| multikv

| eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server")

| eval RSZ_MB=RSZ_KB/1024

| eval VSZ_MB=VSZ_KB/1024

| bin _time span=5s

| stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time


| stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time

| bin _time span=10s

| sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time

but! when i tried it in my own dashboard this didn't work like the app dashboard
what can i do
i tried timechart but the result was different .

hexx · ‎02-19-2014

This is because this dashboard uses a PostProcess search to drive several panels with one root search. Unfortunately, this doesn't play too well with default drill downs which only show you the results for the root search.

If you want to show results as this panel displays them, you need to manually add to PostProcess search command corresponding to this panel as gathered from the view XML.

Here, the PostProcess in question looks like this:

...
So, the search you need is:



index=sos sourcetype="ps" host="SIS1-SERVER1"

| multikv

| eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server")

| eval RSZ_MB=RSZ_KB/1024

| eval VSZ_MB=VSZ_KB/1024

| bin _time span=5s

| stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time


| stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time

| bin _time span=10s

| sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time

| chart median(RSZ_MB) over _time by type

View solution in original post

hexx · ‎02-19-2014

This is because this dashboard uses a PostProcess search to drive several panels with one root search. Unfortunately, this doesn't play too well with default drill downs which only show you the results for the root search.

If you want to show results as this panel displays them, you need to manually add to PostProcess search command corresponding to this panel as gathered from the view XML.

Here, the PostProcess in question looks like this:

...
So, the search you need is:



index=sos sourcetype="ps" host="SIS1-SERVER1"

| multikv

| eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server")

| eval RSZ_MB=RSZ_KB/1024

| eval VSZ_MB=VSZ_KB/1024

| bin _time span=5s

| stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time


| stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time

| bin _time span=10s

| sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time

| chart median(RSZ_MB) over _time by type

changwoo · ‎02-19-2014

thanks!!!!

s.o.s "view results" drilldown doesn't yield the same search results than its panel

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms