Dashboards & Visualizations

Form post process problems

nickhills
Ultra Champion

hello all,

i am trying to build a form which reports on a number of kv pairs from our logs. This form has a number of fields and charts, which at the moment is driven by a search for each panel, but i would like to use the post processing feature to streamline this process, and drive the process from one search.

This is what i have on my working form:

  <single>
  <searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$" heartbeat_device_networkstatus=*|head 1|fields heartbeat_device_networkstatus</searchTemplate>
  <option name="field">heartbeat_device_networkstatus</option>
  <option name="beforeLabel">Operating Mode:</option>
  </single>

This works fine, and displays each value as expected. But when i try to repeat this on a post process form i have problems using the following code:

at the form level:

<searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$"|head 200</searchTemplate>

in the pannels

<single>
<searchPostProcess>head 1</searchPostProcess>
<option name="field">heartbeat_device_networkstatus</option>
<option name="beforeLabel">Operating Mode:</option>
</single>

so far, so good, but when i run the form i get:

Operating Mode: Invalid Field

can anyone spot where i may be going wrong?

thanks.

If my comment helps, please give it a thumbs up!
Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

You should download the UI Examples app, which is essentially documentation mixed with living examples, and read the view it has called "using postProcess on dashboards".

There are several pitfalls that everyone hits when they first start using postProcess, and you're hitting one of the bigger ones.

When splunk dispatches a search, it looks at the search language and it will only extract, preserve and summarize fields that are referenced or otherwise needed somehow in the search language. So in your case, at dispatch-time, splunk assumes that the heartbeat_device_networkstatus field is not needed, so it doesn't get extracted. Fast forward to post-process time, and there is no such field, hence the error.

Short version:
Instead of

<searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$"|head 200</searchTemplate>

use

<searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$"|head 200 | fields heartbeat_device_networkstatus</searchTemplate>

And adjust that fields clause to add other fields as necessary.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You should download the UI Examples app, which is essentially documentation mixed with living examples, and read the view it has called "using postProcess on dashboards".

There are several pitfalls that everyone hits when they first start using postProcess, and you're hitting one of the bigger ones.

When splunk dispatches a search, it looks at the search language and it will only extract, preserve and summarize fields that are referenced or otherwise needed somehow in the search language. So in your case, at dispatch-time, splunk assumes that the heartbeat_device_networkstatus field is not needed, so it doesn't get extracted. Fast forward to post-process time, and there is no such field, hence the error.

Short version:
Instead of

<searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$"|head 200</searchTemplate>

use

<searchTemplate>eventtype=device_heartbeat heartbeat_device_id="$id$"|head 200 | fields heartbeat_device_networkstatus</searchTemplate>

And adjust that fields clause to add other fields as necessary.

nickhills
Ultra Champion

thanks very much. This was exactly the issue.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

should have mentioned that the error is reported on my single 'button' the words Operating Mode: are expected. Its the "Invalid Field" that is causing grief

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...