Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Postprocess Search based on Saved Search in Dashboard ignores all attempts to set time

seanel
Path Finder
‎04-25-2015 05:14 AM

So I need to get the latest sales stats by country over many different timescales (like right now, so far today, last 7 days. so far this month, last 4 weeks, so far this year, etc)

So I created a an efficient saved search for the year, which summarises sales by country,day

Then i created the multiple charts for different timeframes, but no matter how I try and set earliest and latest times, they are ignored and all charts are for 'All-Time'

Saved Search:

index=blah host=xxx sourcetype=sales COUNTRY!=NULL earliest=@y latest=@d date_hour>22 | append [|search index=blah host=xxx sourcetype=sales COUNTRY!=NULL earliest=@d latest=now] | table _time VALUE_IN_EURO COUNTRY date_wday date_mday date_month date_year

PostProcess Search:

stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday| stats sum(euro) by COUNTRY

Now lets say I want to try and get a relative timescale like last 7 days, I have tried the following:

  • Setting the timepicker in the simple xml panel editor to last 7 days. (gets reset to alltime afterwards)
  • Setting -7d@d using the earliest tag in the search tag
  • Setting -7d@d using using the earliestTime tag in the search tag
  • Changing the PostProcess Search to search earliest=-7d@d latest=now | stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday| stats sum(euro) by COUNTRY (produces zero results)

Its driving me mad! Any help appreciated!!! Or maybe its just not possible to filter the results of a saved search by time? Though it seems like a fairly obvious use of a saved search to produce an efficient dasboard 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

seanel
Path Finder
‎04-26-2015 11:59 PM

OK - after a nights sleep I have some solution, though it seems strange that its the only way and I expect what I am missing here is some limitation of postprocessing.

But if I use a where clause in the postprocess search, it works.

e.g. for last 7 days:

| where _time>=now()-604800 | stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday | stats sum(euro) by COUNTRY

Would be very interested to know of the reason why timepickers on the panel editor and timespecifications in the simple xml do not work on a savedsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

seanel
Path Finder
‎04-26-2015 11:59 PM

OK - after a nights sleep I have some solution, though it seems strange that its the only way and I expect what I am missing here is some limitation of postprocessing.

But if I use a where clause in the postprocess search, it works.

e.g. for last 7 days:

| where _time>=now()-604800 | stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday | stats sum(euro) by COUNTRY

Would be very interested to know of the reason why timepickers on the panel editor and timespecifications in the simple xml do not work on a savedsearch.

Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-25-2015 06:20 AM

Hi try to do something like this:

1-if you are using splunk 6.2.....

0</
earliest>
now

.
.
.
.

    <search>
      <query>
      here goes your query 
      </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>

2- if you are unsing a version prior to 6.2......

0</
earliestTime>
now

.
.
.
.

here goes your query</
searchString>
$time.earliest
$
$time.latest$</
latestTime>

3-and remove the first timestamp (earliesti=.. latest=....)in you savedsearch.

0 Karma
Reply
Solved! Jump to solution

seanel
Path Finder
‎04-26-2015 11:23 PM

Thanks for the answer, but doing what you suggest would remove the whole purpose of the savedsearch in the first place. The whole point of the saved search is to get the whole years data in one efficient search, then twist the results in different ways for each of 12 charts on the dashboard. If I used the method you suggest, it would a) get all data for all time which would be slow, plus it would essentially be 12 searches of the a huge amount of data in the browser process.

I have all the data I need in the one search which takes just 8 seconds and has already been executed by the server - now I just need to present/filter the data from the saved search according to different time scales. The month, year and so on are simple as I extracted date_month, date_year etc.... but its the relative timescales that seem to be a problem like last 7 days, last 28 days etc

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...