All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HiddenPostProcess vs PostProcess ?

fk319
Builder
‎01-14-2013 01:15 PM

What is the difference between Splunk's HiddenPostProcess and Sideview Utils PostProcess ?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-14-2013 01:34 PM

The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.

Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).

You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.

NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-14-2013 01:34 PM

The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.

Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).

You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.

NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...