Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Post processing summarized data

kjcorbin
Explorer
‎07-21-2011 10:19 AM

I have the following search which outputs summarized data in 4 hours chunks perfectly:

source="MySocket" NOT ServiceName="Private Service"| eval search = if(eventtype="search",CounterValue,0)|eval browse = if(eventtype="browse",CounterValue,0)|eval tracks = if(eventtype="tracks",CounterValue,0)|eval play_seconds_val = if(eventtype="play_seconds",CounterValue,0)| eval play_error_val = if(eventtype="play_errors",CounterValue,0) | eval play_error_adj_val = if(eventtype="play_error_adjusted",CounterValue,0)| eval play_errors_total = play_error_val - play_error_adj_val | eval browse_errors=if(eventtype="browse_error",CounterValue, 0) |  eval search_errors=if(eventtype="search_error",CounterValue, 0)| eval other_errors = search_errors + browse_errors|bin _time span=4h | stats sum(search) as Search sum(browse) as Browse sum(tracks) as Tracks sum(play_seconds_val) as PlaySeconds sum(other_errors) as OtherErros sum(play_errors_total) as PlayErrorsTotal distinct_count(HouseholdId) as Households by _time ServiceName

However when I try to use HiddenPostProcess with this to generate different charts and single value fields I am getting invalid field errors.

Here are a couple examples of what I am trying to do with prost process:
stats sum(Households) - this is for a single value field it fails saying illegal
timechart span=1d sum(play_seconds_val) by ServiceName useother="f" - for a chart, produces no results
timechart span=1d PlaySecnds by ServiceName useother="f" - for a chart, errors saying it must be in the form <func>(<field>)

I cannot do the summarization step in post processing because the search will return more than 10,000 results. Does anyone have any idea how to accomplish this?

Thanks in advance,
Keith

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-30-2012 09:24 PM

Strange.

stats sum(Households) should work, that is unless the main search is completely empty.

What 'illegal' message did that return? Can you paste it in?

As to the second postProcess, timechart span=1d sum(play_seconds_val) by ServiceName useother="f" -

Well this wont work because the final results for your base search doesn't have a field called play_seconds_val. You renamed it to PlaySeconds.

And the third postProcess, for one thing there's a typo -- PlaySecnds instead of PlaySeconds, and for a second problem indeed you need to have a function argument like distinct_count() or sum() or max(). You can't just specify raw field names.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...