Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HiddenPostProcess limitations

fk319
Builder
‎10-26-2010 09:03 PM

I had 5 summary indexes that I was able to compress into one. It turns out my final index takes about 1/4 of the space.

The problem is that I have about 400 sumary events per minute and I would like to have one search and then just sumarize in each of the 5 charts.

I am only able to process about 24 minutes, where I would like to process about 4 hours.

Everything was working fine when I had 5 independant searches, but when I started using HiddenSearch/HiddenPostProcess I started loosing data.

I seem to be hitting the 10,000 event, and I do know know how to construct my query to get around this issue.

Any Ideas?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-26-2010 09:15 PM

The basic idea is to have the base search never match events, but instead end in a | stats count, sum(someField) by foo, bar, baz, bat, where each of the fields you're interested in is represented there somewhere.

The reason is that the stats search will compress the number of rows down a lot (you almost certainly want to put in a bucket command before the stats if you need _time), and even if it doesnt compress it much, stats isnt subject to any limitation on the number of rows, so they'll all be there.

1) Check out the app 'ui examples for 4.1', which has a view under Advanced XML called 'Using postProcess on dashboards'. That view has a lot more discussion and advice around these issues.

2) And a lot of the same items are discussed here in the docs: http://docs.splunk.com/Documentation/Splunk/4.1/Developer/PostProcess

Although notably the docs only seem to explain half of the reason for using the stats clause in the base search.

View solution in original post

Reply
Solved! Jump to solution

baddogdown
New Member
‎11-29-2012 01:38 AM

The above link http://www.splunk.com/base/Documentation/latest/Developer/PostProcess is broken. Please can someone fix it.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-26-2010 09:15 PM

The basic idea is to have the base search never match events, but instead end in a | stats count, sum(someField) by foo, bar, baz, bat, where each of the fields you're interested in is represented there somewhere.

The reason is that the stats search will compress the number of rows down a lot (you almost certainly want to put in a bucket command before the stats if you need _time), and even if it doesnt compress it much, stats isnt subject to any limitation on the number of rows, so they'll all be there.

1) Check out the app 'ui examples for 4.1', which has a view under Advanced XML called 'Using postProcess on dashboards'. That view has a lot more discussion and advice around these issues.

2) And a lot of the same items are discussed here in the docs: http://docs.splunk.com/Documentation/Splunk/4.1/Developer/PostProcess

Although notably the docs only seem to explain half of the reason for using the stats clause in the base search.

Reply
Solved! Jump to solution

fk319
Builder
‎11-02-2010 04:37 PM

we upgraded to 4.1.5, the 50,000 limit was changed.

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎10-27-2010 04:14 PM

Nick, that app has some good info, but I does not help me in my case. I will just have to use multipule queries.

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎10-26-2010 09:38 PM

ok, I remembered when I had 'stats', I had the left most part of the graph, and when I used 'fields' I had the right most part.

The 5 queries are from the same data, but I am presenting the data in different ways, IP, Method, RunTime and ReturnCode. It turns out that each of these methods I present in a second graph, I group the results a bit.

As for the bucket, I will do that in my next view, where I expand my time window.

I have review you link in 2), but I have not located 1) yet.

Thanks.....

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...