I am struggling with getting the relevant fields through sideview utils.
I initially had a TextField with a button as child, and a search as a child to that. I then use the textfield as a filter in the base search, which has PostProcess sub-modules. I've now removed all post process modules.
My search consists of a handful of a series of evals
followed by a stats
followed by more more evals
.
... | stats latest(SomeField) as SomeField latest(OtherField) as OtherField | eval SomeField="$".round(SomeField) | eval OtherField=round(OtherField)."%" | table SomeField OtherField | rename SomeField AS "Some Field Header" OtherField AS "Other Field Header"
relatively straight-forward, I would think. But when I run this search, I get random results. My evals aren't processed in some places.
There's about 10 fields, and of those, some are rounded, some aren't, some have the formatting done, some don't.
what is happening, why is sideview so unreliable in terms of results??
The error was being caused by an ... | eval X="$".X
in the search / PostProcess. Sideview Utils interprets this as a variable.
Now just need to figure out how to format currency using a different approach.
See the doummentation about using $$ to escape literal $ characters. Admittedly you have to actually read the core documentation and come across it - there is no page saying "what if i want to use a dollar sign".
But if you go to "Key Techniques > Embedding dynamic values into your own HTML > Embedding HTML and including $foo$ values", there is a panel that talks about exactly this, titled "what if i want to use an actual dollar sign character?"
And reading the core documentation is a good thing to do. There is all kinds of useful information and best-practice stuff in there that will save you a great deal of time in future if you spend a little time reading it now.
That, on both counts 😛
Then you're more diligent than most. 😃 Keep going - I know from experience that time reading the docs pays a huge ongoing dividend. Which is the only reason I harp on it to the point of being annoying. Possibly past it.
yeah - i worked through about half the docs and examples, was trying to get a report done under a bit of a time constraint so dove in without finishing the examples. will continue working through docs and examples this week.
The error was being caused by an ... | eval X="$".X
in the search / PostProcess. Sideview Utils interprets this as a variable.
Now just need to figure out how to format currency using a different approach.
Give
$$
a try.
yep - all my problems disappeared when i remove the "$". from the eval statements. Looks like sideview was trying to interpret those as variables I guess. I also tried escaping the dollar signs but didn't work. How would I go about using ... | eval DollarField="$".round(DollarField)
in sideview?
Here's the (simplified) search configuration that I have:
| eval lastLogin=strftime(lastLogin,"%F %T")
| eval regDate=strftime(RegTime,"%F %T")
| eval value="$".round(value)
| table regDate numLogins lastLogin value numAccnts
This is what I see in the debug:
| eval lastLogin=strftime(lastLogin,"%F %T") | eval regDate=strftime(RegTime,"%F %T") | eval value="".round(IDAvg) | table regDate numLogins lastLogin value numAccnts
So value="$".round(value)
becomes value="".round(IDAvg)
. Something to do with the $
perhaps? I use IDAvg, just removed it for the e.g.
Well yes and no. I added an HTML module with $search$ in it so I can debug the search. When I do this, the original search that I configured the view with is being modified. So in the Splunk manager, the search has 4 evals, looking at the value of $search$, there's only 1 - for some reason, the configured search is being reduced. A copy and past of the search yields the same results as the sideview, but it's not how the view is configured.
Are the results reliable when you run the search manually?