I have recently just installed and started using sideview utils to build a dashboard. I have a (relatively) large search base, parameterized with a TextField, and produces a few fields. There are then 3 PostProcesses of that search. The post process searches also have quite a few operators. In the results, the post processed results seem to be trimmed / cut. Here is an example of the structure of my view (pseudo code):
<view>
textfield name=userFilter template=UserID="$value$"
button
search
postprocess
html
table
postprocess
html
table
postprocess
html
table
The search creates fields based on event types (e.g. ... | eval UserDetail=if(eventtype="ProfileUpdate",_time." ".Detail1." ".Detail2,NULL)
and then uses stats to get the latest of each created field.
The postprocess search then splits the fields into MV fields and builds a single field from that: | eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"
In the above example, I use the same sort of approach with 3 sets of fields and end up with a table with 3 columns. When the results are loaded though, the 2nd column is the only column that is generated, and it is loaded under the first columns heading.
Any reason why this is happening?
You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$
So just change your search to this:
| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"
and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.
Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils
You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$
So just change your search to this:
| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"
and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.
Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils
issue is because you cannot use eval X="$".X
with sideview - it tries to interpret the $
is a variable instead of literal.
anyone experience this with sideview utils?
I've simplied the base search now, removing the build-up of compound fields, and just have 1 x stats command that uses latest() of various fields.
PostProcess consists of 2 evals for formatting: ... | eval someField="$".round(someField) | eval otherField=round(otherField)."%"
and it is still doing the same thing.