Dashboards & Visualizations

HiddenPostProcess: search and eval confusion

pde
Path Finder

I have the following:

   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">source="*stats.log" host="*prod*"</param>
        <param name="earliest">rt-60m</param>
        <param name="latest">rt</param>

    <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1" group="Look to Book Ratio">
        <param name="search">search transactionType="*" | streamstats
            count(eval(transactionType LIKE "%LSRQ")) as look count(eval(transactionType LIKE
            "BOOKRQSS%")) as book | eval lookbook=round(look/book) | rangemap field=lookbook severe=1001-100000 elevated=501-1000 low=0-500</param>
        <module name="SingleValue">
            <param name="field">lookbook</param>
            <param name="afterLabel">:1</param>
            <param name="classField">range</param>
        </module>
    </module>
     </module>

I've read several answers here about the idiosyncrasies of using search in HiddenPostProcess modules, but still can't work out why I keep getting "Invalid field" in my SingleValue pane. What have I missed?

As an aside: the group="Look to Book Ratio" never seems to produce a label on the panel in column 1, but always does for column 2 and column 3. Weird.

Thanks

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

The answer is that in a dashboard or form-search context, Splunk has optimized behavior where it will only extract the fields that it sees in the search language of the main search string.

2 problems arising out of this.

1) referring to fields in the postProcess search that are not in the main search. Splunk didnt extract transactionType in the main search so this wont work.

2) referring to fields in the SingleValue module that are not in the main search. The UI can also send a parameter called required_field_list when the search is dispatched, and in most cases the modules are written correctly so that they know to do this. For example if you have a downstream SimpleResultsTable, with its 'fields' param set, the table module declares to the framework that it will need those fields extracted, so the framework includes them in the required_field_list. I think the implementation of SingleValue might overlook this case but i could be wrong.

Solution: easiest solution is to sneak in a fields clause into your main search, and include the '*' in that fields clause so that it doesnt actually do any filtering.

source="*stats.log" host="*prod*" | fields transactionType *
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...