Splunk Search

Why is searchPostProcess is not showing any data on the dashboard?

abhayneilam
Contributor

Hi,

I have created a dashboard in which I have added a timepicker and I have opened a drop-down menu which defines the NAME.

I am going to put the reduced simple XML for you to understand the problem I am facing :

  <label>Name of the Person</label>
  <choice value="*">A_name</choice>
  <choice value="XXXX">B_name</choice>
  <choice value="YYYY">C_Name</choice>
  <default>*</default>
</input>


<input type="time" searchWhenChanged="true">
  <default>
    <earliestTime>-1w@h</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>

index=XXXX sourcetype=YYYYY | search NAME="$NAME$" TITLE="*"

    <title>ABCDEFGH</title>
    <searchPostProcess> | timechart span=1h  sum(TOTAL) as sub_total  |  delta sub_total as TOTAL | table  _time TOTAL</searchPostProcess>
   <earliestTime>$earliest$</earliestTime>
  <latestTime>$latest$</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">area</option>
    <option name="charting.chart.nullValueMode">zero</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">1</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>

  </chart>

I have used multiple tags like this in the same search, but I have only posted one example,

My problem is that I am not getting any output in my dashboard, Kindly help me as this is urgent!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi abhayneilam,

this will not work because your searchTemplate does not qualify for searchPostProcess Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/Savedsearches#Post-process_searches for more details.

Following the docs you need a transforming command in your searchTemplate

try something like this:

index=XXXX sourcetype=YYYYY NAME="$NAME$" TITLE="*" | stats count by _time, TOTAL

hope this helps to get you started ...

cheers, MuS

0 Karma

nfilippi_splunk
Splunk Employee
Splunk Employee

To clarify, you don't necessarily need a transforming search in your searchTemplate. However, note that if the searchTemplate is non-transforming, then you may or may not reach the 10,000 event search limit.

The real issue here is in the field extractions not being passed down to the post process search. All searches in dashboards are run in fast mode, which means that selected fields are not automatically available to downstream searches.

As a workaround, you can add "| fields *" to your searchTemplate to explicitly extract fields for post process searches.

So, it would look like this:

<searchTemplate>index=XXXX sourcetype=YYYYY | search NAME="$NAME$" TITLE="*" | fields *</searchTemplate>

sideview
SplunkTrust
SplunkTrust

If you have trouble with the way it's presented in the official docs, the Sideview Utils app has a more real-world approach for keeping you out of trouble. Download and install the Sideview Utils app from http://sideviewapps.com and navigate to "Key Techniques > Using PostProcess > Introduction". Far and away the biggest problem with postprocess is that everyone does exactly what you're doing here, and for several reasons, it is a bad idea and/or it will not work at all. The Sideview docs break it down into the different problems and pitfalls. In this case it's because the Total field is not named in your base search, so Splunkd wont even extract it at search time. The answer is as MuS says - to use a transforming command in the base search. But I do recommend reading the docs thoroughly AND reading the Sideview Utils docs as well.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...