All Apps and Add-ons

Need help in using Postprocess in Sideview Utils

theouhuios
Motivator

Hello

I have a multiple linking views and I am trying to implement post processing as user wants to have 11 different graphs on one view itself. I am facing an issue with the post processing as its not showing the graphs accordingly and instead of searching for that search query, its searching the string being used in the search with no filters applied to the panels respectively.

Here is the code which I am using.

  <module name="URLLoader" layoutPanel="panel_row1_col1" autoRun="True">

    <module name="HTML" layoutPanel="viewHeader">
      <param name="html"><![CDATA[
       <h3>$title$</h3>
      ]]></param>
    </module>

    <module name="HiddenSearch" layoutPanel="viewHeader">
      <param name="search">earliest=-24h@h latest=@h sourcetype="IIS:Access:*"  | stats count by host | sort - host| fields host</param>

      <module name="JobProgressIndicator"></module>

      <module name="Pulldown">
        <param name="name">host</param>      
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">host</param>
            <param name="value">host</param>
          </list>
        </param>

        <module name="TimeRangePicker" >
          <param name="searchWhenChanged">True</param>
          <param name="selected">Last 24 hours</param>

          <module name="Search" layoutPanel="panel_row1_col1" >
            <param name="search"> sourcetype="Perfmon:*" </param>      
            <param name="earliest">-24h</param>
            <param name="latest">now</param>

            <module name="PostProcess" layoutPanel="panel_row1_col1" group="Processor Queue Length" >
              <param name="search"> search host=$host$ collection="Processor" counter="Processor Queue Length"   | $report$</param>

              <module name="JobProgressIndicator"></module>

              <module name="Pager">
                <param name="entityName">results</param>

                <module name="HiddenChartFormatter">
                  <param name="charting.axisTitleY.text"/>
                  <param name="charting.chart">line</param>
                  <param name="charting.chart.stackMode">stacked</param>
                  <param name="charting.legend.placement">top</param>
                  <param name="charting.chart.nullValueMode">zero</param>
                  <param name="charting.axisTitleX.text">Processor Queue Length</param>
                  <module name="JSChart">
                    <param name="width">100%</param>
                  </module>
                </module>
              </module>
            </module>

The reason why the post process search is so generic is because I am using multiple arguments from the previous view with different commands. For example

$report$=timechart span=1hr avg(Value) by host 

$report1$=stats avg(Value) by host

So to be able to use these easily I am trying to make the postprocess search as generic as possible. I am kinda new to using postprocess in sideview. Any idea on where am I doing a mistake?

Regards
theou

sideview
SplunkTrust
SplunkTrust

Short version -- Move the autoRun="True" from your PostProcess module, up to the top so it's on the Search module. This isn't a Sideview problem but rather something that's just really easy to get wrong in Splunk's advanced XML.

autoRun="True" tells the framework to "push from this point when the page loads, dispatching any searches you may need underneath this point". With this config, two things can be happening as written.

1) If there is no second autoRun="True" upstream from that Pulldown and its Search, then the Pulldown wont be loading at all. It'll just sit there saying the word "Loading..." until a push hits it.

2) If there is a second autoRun="True" somewhere upstream from that Pulldown and its Search, that's really bad because you should never nest an autoRun="True" inside another one. If that's the case then your bug is because the innermost one is running first, the context cache is getting invalid, and the keys from further upstream never arrive to fix it.

Either way I think moving that autoRun="True" upstream, and removing any redundant ones, will fix it.

Note that you should also read the PostProcess overview docs in Sideview Utils. Get the latest version of Sideview Utils for sure, if only because the documentation is much better (http://sideviewapps.com/apps/sideview-utils). If this base search here is feeding lots of postProcesses you're probably going to hit some other pitfalls that the postprocess overview page can tell you about.

sideview
SplunkTrust
SplunkTrust

No problem. PostProcess and how to use it effectively is one of the bumpier parts of the overall learning curve.

0 Karma

theouhuios
Motivator

Got it to work. Thanks Nick. Sorry for asking so many questions regarding the base search 😛 I was in mindset that its same as the regular splunk modules. Thanks for the help 🙂

0 Karma

sideview
SplunkTrust
SplunkTrust

Nope, that's not the case. You should read the docs page and the example, because it shows exactly that - where the base search is a transforming search (stats), and the postprocess searches are other transforming searches like chart/stats/timechart.

theouhuios
Motivator

Oh. But the problem is if need to use different commands like stats or timechart for different panels then without getting the data in raw format its not able to chart it accordingly.

0 Karma

sideview
SplunkTrust
SplunkTrust

Certainly. You should start though by reading the PostProcess overview page in Sideview utils. "Key Techniques > Using PostProcess > Introduction". Right in the first panel it cautions you strongly, with a bit of all caps, to not use PostProcess in a way where the "base search" is a search for raw events, which is what you're doing here. The page has an excellent and clear explanation of the ways (plural) in which this is a bad idea. At the most superficial level, when your base search is submitted, Splunk has no idea that these other fields are important, so Splunk wont extract them.

0 Karma

theouhuios
Motivator

That solved one issue. But I don't understand why its not sending the data down to different panels using the searches for them. I added the whole code my first post. Is it the issue with my search? I am just giving it the sourcetype as the panels have various collections and counters which it needs to consider before creating the graphs.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...