Hello Splunk and Sideview Utils experts,
I have a problem with nested searches that I hope someone here can help me with.
I'm using the Sideview Utils Search module for my main search, downstream of which are a few PostProcess modules to display the results. These all work great. One of the PostProcess modules passes through to a SimpleResultsTable, to which I'm attempting a drilldown to launch a new search - it's this search which I'm having difficulty with.
The outermost search just checks the access log:
The PostProcess search amends the results of the Search to give a bit more detail on the breakdown by user:
Inside this PostProcess I have a SimpleResultsTable:
Now, inside the SimpleResultsTable I'm trying to launch a whole new Search so that I can display another table showing requests broken down by user. The query doesn't bring back any results via the drilldown, even though it works as an independent search. I assume that the search is being performed against the results already passed down from the upstream search and postprocess, instead of against the full dataset. Here's the new search:
So, that search doesn't work, but if I use another nested PostProcess instead, the PostProcess runs ok - except that now I've no way (that I know of) to add in the user=$click.value$ filtering that I need in order to show the queries for each user. Here's the PostProcess search:
Any help anyone can offer with this would be greatly appreciated!
Thanks,
Andy.
What's happening is that the PostProcess search from the higher layer doesn't get automatically cleared down at the second layer.
For now you have to add in a
<module name="PostProcess">
<param name="search"> </param>
and that will clobber the first-layer postProcess from affecting the second-layer search results. Sorry about the inconvenience and confusion. I'm debating patching the core UI framework to make this basically happen automatically but I haven't done it yet.
UPDATE: On further review, so many people have smacked into this problem over the years, and there's so little reason for it to behave the way it does versus the way you'd expect it to, that I've made the change and as of Sideview Utils 2.2.7, whenever a new search is dispatched, any postprocess search that was used at a higher level will be discarded. As a result, if you simply upgrade Sideview Utils to 2.2.7 (out later this week), you won't get this problem anymore.
Thanks. There are changes in Sideview Utils as of version 2.2.7, that should make this class of problems go away entirely. As of that release, whenever a new "layer" of module config implements a drilldown that ends up dispatching a new search, the remnant postProcess search from that "layer" gets automatically cleared. Therefore there's no more need for the app developer to explicitly clear it anymore.
I link the question I have asked some times ago, as it's the exact same problem:
What's happening is that the PostProcess search from the higher layer doesn't get automatically cleared down at the second layer.
For now you have to add in a
<module name="PostProcess">
<param name="search"> </param>
and that will clobber the first-layer postProcess from affecting the second-layer search results. Sorry about the inconvenience and confusion. I'm debating patching the core UI framework to make this basically happen automatically but I haven't done it yet.
UPDATE: On further review, so many people have smacked into this problem over the years, and there's so little reason for it to behave the way it does versus the way you'd expect it to, that I've made the change and as of Sideview Utils 2.2.7, whenever a new search is dispatched, any postprocess search that was used at a higher level will be discarded. As a result, if you simply upgrade Sideview Utils to 2.2.7 (out later this week), you won't get this problem anymore.
(which it did. It went out in 2.4.4 on 3/26/2013)
Thanks for the view you sent in. Ironically the problem is that although I patched the behavior across the entire Splunk core framework, there was a problem that prevented the Sideview Table module specifically from doing the right thing. So the Sideview Table module has actually retained the old behavior where you need to clobber postProcess.
The fix will most likely ship in the next release (2.4.4).
Sent you an email.
Interesting! Yes I'll take you up on that. Can you post or pastebin the XML? Maybe it represents a situation I've overlooked. You can email it to nick [at] sideviewapps.com.
As an FYI i just updated to 2.2.7 and am still having to add a PostProcess Module with an empty search to have lower search modules behave correctly in drilldown tables. i can supply xml if need be.
Thanks Sideview, that works like a charm!