All Apps and Add-ons

Sideview Utils Search inside a PostProcess doesn't work?

andrew_wilkins
Explorer

Hello Splunk and Sideview Utils experts,

I have a problem with nested searches that I hope someone here can help me with.

I'm using the Sideview Utils Search module for my main search, downstream of which are a few PostProcess modules to display the results. These all work great. One of the PostProcess modules passes through to a SimpleResultsTable, to which I'm attempting a drilldown to launch a new search - it's this search which I'm having difficulty with.

The outermost search just checks the access log:


    
        host="(myHost)" source="access.log.*" request=/service/* status=200 | fields user duration request bytes
    

The PostProcess search amends the results of the Search to give a bit more detail on the breakdown by user:


    chart count AS "Requests" sum(duration) AS "Total Duration" avg(duration) AS "Avg. Duration" sparkline(count) AS "Activity" by user
    

Inside this PostProcess I have a SimpleResultsTable:


    row

Now, inside the SimpleResultsTable I'm trying to launch a whole new Search so that I can display another table showing requests broken down by user. The query doesn't bring back any results via the drilldown, even though it works as an independent search. I assume that the search is being performed against the results already passed down from the upstream search and postprocess, instead of against the full dataset. Here's the new search:


    host="(myHost)" source="access.log.*" request="/service/*" status=200 user=$click.value$ | chart count avg(duration) AS "Avg Duration" sparkline(avg(duration)) AS "Duration Trend" avg(bytes) AS "Avg Bytes" sparkline(sum(bytes)) AS "Bytes Transferred Trend" by request
    

So, that search doesn't work, but if I use another nested PostProcess instead, the PostProcess runs ok - except that now I've no way (that I know of) to add in the user=$click.value$ filtering that I need in order to show the queries for each user. Here's the PostProcess search:


    chart count avg(duration) AS "Avg Duration" sparkline(avg(duration)) AS "Duration Trend" avg(bytes) AS "Avg Bytes" sparkline(sum(bytes)) AS "Bytes Transferred Trend" by request
    

Any help anyone can offer with this would be greatly appreciated!

Thanks,
Andy.

1 Solution

sideview
SplunkTrust
SplunkTrust

What's happening is that the PostProcess search from the higher layer doesn't get automatically cleared down at the second layer.

For now you have to add in a

<module name="PostProcess">
  <param name="search"> </param>

and that will clobber the first-layer postProcess from affecting the second-layer search results. Sorry about the inconvenience and confusion. I'm debating patching the core UI framework to make this basically happen automatically but I haven't done it yet.

UPDATE: On further review, so many people have smacked into this problem over the years, and there's so little reason for it to behave the way it does versus the way you'd expect it to, that I've made the change and as of Sideview Utils 2.2.7, whenever a new search is dispatched, any postprocess search that was used at a higher level will be discarded. As a result, if you simply upgrade Sideview Utils to 2.2.7 (out later this week), you won't get this problem anymore.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Thanks. There are changes in Sideview Utils as of version 2.2.7, that should make this class of problems go away entirely. As of that release, whenever a new "layer" of module config implements a drilldown that ends up dispatching a new search, the remnant postProcess search from that "layer" gets automatically cleared. Therefore there's no more need for the app developer to explicitly clear it anymore.

0 Karma

guilhem
Contributor

I link the question I have asked some times ago, as it's the exact same problem:

http://splunk-base.splunk.com/answers/60696/sideview-utils-jschart-flashchart-doesnt-show-any-result...

0 Karma

sideview
SplunkTrust
SplunkTrust

What's happening is that the PostProcess search from the higher layer doesn't get automatically cleared down at the second layer.

For now you have to add in a

<module name="PostProcess">
  <param name="search"> </param>

and that will clobber the first-layer postProcess from affecting the second-layer search results. Sorry about the inconvenience and confusion. I'm debating patching the core UI framework to make this basically happen automatically but I haven't done it yet.

UPDATE: On further review, so many people have smacked into this problem over the years, and there's so little reason for it to behave the way it does versus the way you'd expect it to, that I've made the change and as of Sideview Utils 2.2.7, whenever a new search is dispatched, any postprocess search that was used at a higher level will be discarded. As a result, if you simply upgrade Sideview Utils to 2.2.7 (out later this week), you won't get this problem anymore.

sideview
SplunkTrust
SplunkTrust

(which it did. It went out in 2.4.4 on 3/26/2013)

0 Karma

sideview
SplunkTrust
SplunkTrust

Thanks for the view you sent in. Ironically the problem is that although I patched the behavior across the entire Splunk core framework, there was a problem that prevented the Sideview Table module specifically from doing the right thing. So the Sideview Table module has actually retained the old behavior where you need to clobber postProcess.

The fix will most likely ship in the next release (2.4.4).

0 Karma

rdevine
Path Finder

Sent you an email.

0 Karma

sideview
SplunkTrust
SplunkTrust

Interesting! Yes I'll take you up on that. Can you post or pastebin the XML? Maybe it represents a situation I've overlooked. You can email it to nick [at] sideviewapps.com.

0 Karma

rdevine
Path Finder

As an FYI i just updated to 2.2.7 and am still having to add a PostProcess Module with an empty search to have lower search modules behave correctly in drilldown tables. i can supply xml if need be.

0 Karma

andrew_wilkins
Explorer

Thanks Sideview, that works like a charm!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...