Has anybody used the searchTemplate with searchPostProcess with single element? I simply can't get it to work. It always shows 0.
If I run the concatenated search, it works fine. What's wrong? Here is the snippet of the code:
<searchTemplate>
<![CDATA[
sourcetype=sitescope Capsuletech: host="UHSISMONCPRA*" | regex
source="SiteScope\d{4}_\d{2}_\d{2}(?<!v2)\.log"
| head 2000 ]]> </searchTemplate>
inside the "dashboard" element.
Then in a single element, I have
<searchPostProcess>search NOT UHCASSPR* | dedup MonitorName sortby -_time | stats count as total</searchPostProcess>
<field>total </field>
Hi kundeng,
you should use a transforming command within your searchTemplate
for best results; read the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/AdvancedDev/PostProcess
cheers, MuS