Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HiddenPostProcess: search and eval confusion

pde
Path Finder
‎09-27-2010 08:07 PM

I have the following:

   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">source="*stats.log" host="*prod*"</param>
        <param name="earliest">rt-60m</param>
        <param name="latest">rt</param>

    <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1" group="Look to Book Ratio">
        <param name="search">search transactionType="*" | streamstats
            count(eval(transactionType LIKE "%LSRQ")) as look count(eval(transactionType LIKE
            "BOOKRQSS%")) as book | eval lookbook=round(look/book) | rangemap field=lookbook severe=1001-100000 elevated=501-1000 low=0-500</param>
        <module name="SingleValue">
            <param name="field">lookbook</param>
            <param name="afterLabel">:1</param>
            <param name="classField">range</param>
        </module>
    </module>
     </module>

I've read several answers here about the idiosyncrasies of using search in HiddenPostProcess modules, but still can't work out why I keep getting "Invalid field" in my SingleValue pane. What have I missed?

As an aside: the group="Look to Book Ratio" never seems to produce a label on the panel in column 1, but always does for column 2 and column 3. Weird.

Thanks

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 07:33 PM

The answer is that in a dashboard or form-search context, Splunk has optimized behavior where it will only extract the fields that it sees in the search language of the main search string.

2 problems arising out of this.

1) referring to fields in the postProcess search that are not in the main search. Splunk didnt extract transactionType in the main search so this wont work.

2) referring to fields in the SingleValue module that are not in the main search. The UI can also send a parameter called required_field_list when the search is dispatched, and in most cases the modules are written correctly so that they know to do this. For example if you have a downstream SimpleResultsTable, with its 'fields' param set, the table module declares to the framework that it will need those fields extracted, so the framework includes them in the required_field_list. I think the implementation of SingleValue might overlook this case but i could be wrong.

Solution: easiest solution is to sneak in a fields clause into your main search, and include the '*' in that fields clause so that it doesnt actually do any filtering. 

source="*stats.log" host="*prod*" | fields transactionType *
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...