- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- sideview utils doing strange stuff with fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am struggling with getting the relevant fields through sideview utils.
I initially had a TextField with a button as child, and a search as a child to that. I then use the textfield as a filter in the base search, which has PostProcess sub-modules. I've now removed all post process modules.
My search consists of a handful of a series of evals followed by a stats followed by more more evals.
... | stats latest(SomeField) as SomeField latest(OtherField) as OtherField | eval SomeField="$".round(SomeField) | eval OtherField=round(OtherField)."%" | table SomeField OtherField | rename SomeField AS "Some Field Header" OtherField AS "Other Field Header"
relatively straight-forward, I would think. But when I run this search, I get random results. My evals aren't processed in some places.
There's about 10 fields, and of those, some are rounded, some aren't, some have the formatting done, some don't.
what is happening, why is sideview so unreliable in terms of results??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error was being caused by an ... | eval X="$".X in the search / PostProcess. Sideview Utils interprets this as a variable.
Now just need to figure out how to format currency using a different approach.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the doummentation about using $$ to escape literal $ characters. Admittedly you have to actually read the core documentation and come across it - there is no page saying "what if i want to use a dollar sign".
But if you go to "Key Techniques > Embedding dynamic values into your own HTML > Embedding HTML and including $foo$ values", there is a panel that talks about exactly this, titled "what if i want to use an actual dollar sign character?"
And reading the core documentation is a good thing to do. There is all kinds of useful information and best-practice stuff in there that will save you a great deal of time in future if you spend a little time reading it now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That, on both counts 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you're more diligent than most. 😃 Keep going - I know from experience that time reading the docs pays a huge ongoing dividend. Which is the only reason I harp on it to the point of being annoying. Possibly past it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah - i worked through about half the docs and examples, was trying to get a report done under a bit of a time constraint so dove in without finishing the examples. will continue working through docs and examples this week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error was being caused by an ... | eval X="$".X in the search / PostProcess. Sideview Utils interprets this as a variable.
Now just need to figure out how to format currency using a different approach.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give
$$
a try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep - all my problems disappeared when i remove the "$". from the eval statements. Looks like sideview was trying to interpret those as variables I guess. I also tried escaping the dollar signs but didn't work. How would I go about using ... | eval DollarField="$".round(DollarField) in sideview?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the (simplified) search configuration that I have:
| eval lastLogin=strftime(lastLogin,"%F %T")
| eval regDate=strftime(RegTime,"%F %T")
| eval value="$".round(value)
| table regDate numLogins lastLogin value numAccnts
This is what I see in the debug:
| eval lastLogin=strftime(lastLogin,"%F %T") | eval regDate=strftime(RegTime,"%F %T") | eval value="".round(IDAvg) | table regDate numLogins lastLogin value numAccnts
So value="$".round(value) becomes value="".round(IDAvg). Something to do with the $ perhaps? I use IDAvg, just removed it for the e.g.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well yes and no. I added an HTML module with $search$ in it so I can debug the search. When I do this, the original search that I configured the view with is being modified. So in the Splunk manager, the search has 4 evals, looking at the value of $search$, there's only 1 - for some reason, the configured search is being reduced. A copy and past of the search yields the same results as the sideview, but it's not how the view is configured.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the results reliable when you run the search manually?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
