All Apps and Add-ons

sideview utils not using full search

brettcave
Builder

I have recently just installed and started using sideview utils to build a dashboard. I have a (relatively) large search base, parameterized with a TextField, and produces a few fields. There are then 3 PostProcesses of that search. The post process searches also have quite a few operators. In the results, the post processed results seem to be trimmed / cut. Here is an example of the structure of my view (pseudo code):

<view>
  textfield name=userFilter template=UserID="$value$"
    button
      search
        postprocess
          html
          table
        postprocess
          html
          table
        postprocess
          html
          table

The search creates fields based on event types (e.g. ... | eval UserDetail=if(eventtype="ProfileUpdate",_time." ".Detail1." ".Detail2,NULL) and then uses stats to get the latest of each created field.

The postprocess search then splits the fields into MV fields and builds a single field from that: | eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

In the above example, I use the same sort of approach with 3 sets of fields and end up with a table with 3 columns. When the results are loaded though, the 2nd column is the only column that is generated, and it is loaded under the first columns heading.

Any reason why this is happening?

1 Solution

sideview
SplunkTrust
SplunkTrust

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

sideview
SplunkTrust
SplunkTrust

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

brettcave
Builder

issue is because you cannot use eval X="$".X with sideview - it tries to interpret the $ is a variable instead of literal.

0 Karma

brettcave
Builder

anyone experience this with sideview utils?

0 Karma

brettcave
Builder

I've simplied the base search now, removing the build-up of compound fields, and just have 1 x stats command that uses latest() of various fields.

PostProcess consists of 2 evals for formatting: ... | eval someField="$".round(someField) | eval otherField=round(otherField)."%" and it is still doing the same thing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...