Solved: Post search stucks

stwong · ‎01-06-2017

Hi,

I tried to use post search to populate list options:

    <search id="baseSearch">
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" 
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
    </search>
    <fieldset submitButton="false">
    <input type="time" token="field2">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search base="baseSearch">
        <query>
          stats count by deptcode
        </query>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input>
  </fieldset>

However, using single search works as expected:

    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search>
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" | stats count by deptcode
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input

Post search in panels in the same form also not working. Would anyone please help?
Sorry for the newbie question.

Thanks a lot.
Regards,
/ST Wong

renjith_nair · ‎01-06-2017

Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding

your search | fields deptcode,other fields>

Happy Splunking!

View solution in original post

renjith_nair · ‎01-06-2017

Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding

your search | fields deptcode,other fields>

Happy Splunking!

stwong · ‎01-06-2017

Thanks. The drop down list works after appending "fields" to the base search. May I know the reason behind?

However, post search in panels still not working (just "waiting for data"). e.g.

    <panel>
      <title>Time distribution of browser for department $d_name$</title>
      <chart>
        <search base="baseSearch">
          <query>
            search deptcode=$d_name$ | rename useragent as http_user_agent | lookup user_agents http_user_agent | timechart count by ua_family usenull=f useother=f
          </query>
        </search>

Again, using full search instead of base+post search works before. Would you help again?

Thanks a lot.

renjith_nair · ‎01-06-2017

See the details of search mode here : http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changethesearchmode

The user field extraction might not get effected when it runs in smart/fast mode.

For your second issue, try the same trick by adding fields at the end of drop down search

ie :

stats count by deptcode|fields deptcode

If it's not working , click on the search icon on the panel (below) and see what's the final search it's running. From there you will be able to identify

Happy Splunking!

stwong · ‎01-06-2017

Got it. Passing more fields in base search makes post search work, however, the time range earliest and latest nodes specified in base search can't be passed to post searches. I also can't specify or nodes in post search (gives unknown node error if i specify them in post search). Probably something else is missed in my code....

stwong · ‎01-06-2017

Sorry that i accidentally added token="xxx" in time picker instead of using default time_tok. It works after removing the token field.
Somes post-process searches can only use default time_tok, right?

Post search stucks

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk