Is it possible to pass text to a SingleValue Panel? I am able to create a SingleValue panel and display numeric values with no problem. But as soon as I take a field that returns a text value instead of numeric the SingleValue field displays "Invalid Field".
Am I taking the right approach to displaying a single text value?
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">index=dna sourcetype=dna dest_host="XXXXXXXX" | dedup dest_host | </param>
<param name="earliest">-24h</param>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1">
<param name="search">stats first(dest_ip)</param>
<module name="SingleValue">
<param name="field">first(dest_ip)</param>
<param name="beforeLabel">IP Address:</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2">
<param name="search">stats first(dest_city) AS city first(dest_state) AS state first(dest_country) AS country | eval location=city.",".state." ".country</param>
<module name="SingleValue">
<param name="field">location</param>
<param name="beforeLabel">Home Location:</param>
</module>
</module>
</module>
This is a common problem that you're hitting but it's not a SingleValue problem. SingleValue can display text values just fine.
What it is, is that when you refer to a field in a postProcess search, you have to make sure that the field will be there in the underlying search results.
So here the postProcess is referring to a field called 'dest_ip', however nobody told the main search that 'dest_ip' was an important field so it will not have preserved it. (Splunkd doesnt do unnecessary work- it'll only extract and preserve the fields that it beleives are necessary to fulfill the search at search time)
Short version: If you add | fields dest_host dest_ip
onto the end of your base search it'll work.
Check out the 'Using postProcess on dashboards' view within the 'UI Examples for 4.1' app, available on splunkbase. It talks a lot about the pitfalls that can ruin your day when you're using postprocess and this is definitely one.
This is a common problem that you're hitting but it's not a SingleValue problem. SingleValue can display text values just fine.
What it is, is that when you refer to a field in a postProcess search, you have to make sure that the field will be there in the underlying search results.
So here the postProcess is referring to a field called 'dest_ip', however nobody told the main search that 'dest_ip' was an important field so it will not have preserved it. (Splunkd doesnt do unnecessary work- it'll only extract and preserve the fields that it beleives are necessary to fulfill the search at search time)
Short version: If you add | fields dest_host dest_ip
onto the end of your base search it'll work.
Check out the 'Using postProcess on dashboards' view within the 'UI Examples for 4.1' app, available on splunkbase. It talks a lot about the pitfalls that can ruin your day when you're using postprocess and this is definitely one.
Awesome. This worked perfectly. Thanks for the quick response!