Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tabling in post-process duplicates a row of data??

nick405060
Motivator
‎10-23-2019 05:00 PM

A hat-wearing dinosaur and I tried to figure this out in usergroups without any luck.

tl;dr moving this string exactly

| table owner LastFirst OfficeName PersonType JobTitleGroup JobClassGroup JobTitle serial model lease_start lease_end ownership os carrier phone_number enrollment

from the base search to the post-process search results in one line of data being duplicated and shown twice. Otherwise the data is presented normally.

  <search id="base">
    <query>
index=main sourcetype=snow:cmdb_ci_list dv_assigned_to!="" dv_assigned_to="*$network_id$*" earliest=-30d latest=now | sort 0 - _time | dedup dv_serial_number | eval serial=dv_serial_number | rex field=dv_assigned_to "\((?&lt;owner&gt;[^\)]+?)\)" | eval owner=lower(owner) | 
join type=left serial [search index=test source=us_bank_05-22-19.csv earliest=1 latest=now | eval model=device | eval lease_end=least_end] | where lease_start!="" |
append [search index=test source=airwatch_10-18-19.csv "$network_id$" earliest=1 latest=now | rename "Serial Number" AS serial | rename "User Name" AS owner | eval owner=lower(owner) | rename "Device Model" AS model | eval ownership=if(Ownership="E","BYOD","MYCOMPANY") | rename "OS Version" AS os | rename "Current Carrier" AS carrier | rename "Phone Number" as phone_number | rename "Enrollment Date" AS enrollment | rename "Last Seen" AS last] | table owner LastFirst OfficeName PersonType JobTitleGroup JobClassGroup JobTitle serial model lease_start lease_end ownership os carrier phone_number enrollment
    </query>

    <search base="base">
      <query>
      </query>
      <preview>
        <set token="search_count">$result._count$</set>
      </preview>
    </search>

I am guessing this has something to do with the very annoying 7.2.0 bug where if you table the same field twice, it screws everything

EDIT: The workaround here is to keep the table in the base and then use fields - in the post, but I would very much like to know why this happened for this particular search. I obviously table in post-process searches all the time.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2019 12:33 AM

Hi nick405060,
Obviously I can think that you have more panels (at least 2) that use the same post process search.
Anyway, you have to move in the base search all the common rows and at the end put the command fields with the list of all the fields you want to use in panels.
In othe words, if you have a panel with a stats count BY owner and you want to display a table with these fields (owner LastFirst OfficeName PersonType JobTitleGroup JobClassGroup JobTitle serial model lease_start lease_end ownership os carrier phone_number enrollment), you have to use in base search:

index=main sourcetype=snow:cmdb_ci_list dv_assigned_to!="" dv_assigned_to="*$network_id$*" earliest=-30d latest=now 
| dedup dv_serial_number 
| eval serial=dv_serial_number 
| rex field=dv_assigned_to "\((?<owner>[^\)]+?)\)" 
| eval owner=lower(owner) 
| join type=left serial [ search 
     index=test source=us_bank_05-22-19.csv earliest=1 latest=now 
    | eval model=device, lease_end=least_end
    ] 
| where lease_start!="" 
|  append [ search 
    index=test source=airwatch_10-18-19.csv "$network_id$" earliest=1 latest=now 
    | rename "Serial Number" AS serial "User Name" AS owner owner=lower(owner) "Device Model" AS model "OS Version" AS os  
    "Current Carrier" AS carrier "Phone Number" as phone_number "Enrollment Date" AS enrollment "Last Seen" AS last
    | eval ownership=if(Ownership="E","BYOD","MYCOMPANY") 
    ] 
| fields owner LastFirst OfficeName PersonType JobTitleGroup JobClassGroup JobTitle serial model lease_start lease_end ownership os carrier phone_number enrollment

(remeber to always put in base search all the fields you need in panels).
Then in panels you can use the part of search, e.g stats count By owner or table ...
P.S.: I grouped some command (e.g. rename to simplify your search.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...