All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with Post Process

lemikg
Communicator
‎03-20-2013 06:59 AM

Hi,

I am having An Issue with a simple post process implementation. Unfortunately postprocess isn't picking up the search streamed from above.

Maybe I am missing something and hopefully somebody can help me find the problem in this design.

Thanks in advance.

Cheers
Mike



<module name="Search" group="logs">

                    <param name="group">logs</param>

                    <param name="search"><![CDATA[

    host="$selectedHost$" sourcetype="apache" status_code!="200" status_code!="304" |

    eval codedesc=case(

    status_code==100,"100 Continue",

    status_code==101,"101 Switching Protocols",

    ...

    ...

    ...

    status_code==510,"510 Not Extended"

    )

    ]]></param>

                    <module name="PostProcess">

                      <param name="search">

    | timechart count by codedesc useother=f usenull=f

    </param>

                      <module name="HiddenChartFormatter">

                        <param name="secondaryAxisTitle.text"># counts</param>

                        <param name="legend.placement">right</param>

                        <param name="chart">area</param>

                        <module name="JSChart">

                          <param name="height">350px</param>

                        </module>

                      </module>

                    </module>

                    <module name="PostProcess" layoutPanel="panel_row2_col1">

                      <param name="search">

    | convert timeformat="%H:%M:%S" ctime(_time) AS Time

    | stats count by Time clientip host codedesc

    | rename codedesc AS "Code Description"

    </param>

                      <module name="Pager" layoutPanel="panel_row2_col1">

                        <param name="count">20</param>

                        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1" />

                      </module>

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-20-2013 07:09 PM

I assume that the first PostProcess is working fine, and it's the second one only that's giving you trouble?

the problem with the second one, is that the postProcess search references the clientip field, but that field is not referenced anywhere in the base search. the lack of reference in the base search means that Splunk will not actually extract nor preserve that field. As a result you have only null values for 'clientip' come postprocess-time, and stats count by Time clientip host codedesc will always omit rows for which any of those fields are null. If all fields are null for clientip, then stats will throw away all of the rows.

The simplest solution feels a little lame, and that's to throw a | fields clientip * on the end of your base search. That will be enough to tell splunkd that you care about clientip, and it will then extract and preserve the values for you.

The slightly better way, is to follow best practice and not actually use postProcess in a situation where the base search is just a plain old set of events. For more information on why it's not great to do this, read in the Sideview Utils docs " Key Techniques > Using PostProcess > introduction".

I've just noted that the unextracted-field pitfall isn't actually mentioned on that docs page, but I'll remedy that in the next release.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-20-2013 07:09 PM

I assume that the first PostProcess is working fine, and it's the second one only that's giving you trouble?

the problem with the second one, is that the postProcess search references the clientip field, but that field is not referenced anywhere in the base search. the lack of reference in the base search means that Splunk will not actually extract nor preserve that field. As a result you have only null values for 'clientip' come postprocess-time, and stats count by Time clientip host codedesc will always omit rows for which any of those fields are null. If all fields are null for clientip, then stats will throw away all of the rows.

The simplest solution feels a little lame, and that's to throw a | fields clientip * on the end of your base search. That will be enough to tell splunkd that you care about clientip, and it will then extract and preserve the values for you.

The slightly better way, is to follow best practice and not actually use postProcess in a situation where the base search is just a plain old set of events. For more information on why it's not great to do this, read in the Sideview Utils docs " Key Techniques > Using PostProcess > introduction".

I've just noted that the unextracted-field pitfall isn't actually mentioned on that docs page, but I'll remedy that in the next release.

0 Karma
Reply
Solved! Jump to solution

lemikg
Communicator
‎03-21-2013 02:16 AM

Hi Nick,
I added the | fields src_ip to my base search and then it worked as you stated. Thank you very much... again.
regards from cologne
Mike

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...