All Apps and Add-ons

PostProcess search filters seem to be missing results (sideview)

brettcave
Builder

hi,

I'm building a dashboard using the awesome Sideview Utils, but in my view, I seem to be missing data. My view has the following structure:

<search>
    <postprocess>
    <postprocess>
    <postprocess>
    <postprocess>

each postprocess has a pager->table to render results. the base search returns results from stats:

... | stats latest(x) as x latest(y) as y latest(z) as z by UserID

And then each PostProcess looks at different fields, for e.g.

eval segment1=case(isnull(x),"None",x&gt;10,"Big",x=0,"None") | stats dc(UserID) as NumUsers by segment1 | addcoltotals labelfield=segment1 label=TOTAL

And then the 2nd PostProcess will segment based on "y". the above is a really simplified example of what the actual search is doing, but they all have a similar approach: segment according to a field, and then run through stats by the segmentation field. When I run the view, I get inconsistent numbers - all 4 postprocesses should come up with the same number of users in the total, but 1 & 2 return 3802 users (correct), while the 3rd and 4th postprocess returns "308". I've added "$search$" to a debug panel and run the 3rd of 4th postprocess appended to the actual search, and when I run as a standard search, I get the correct number of results - 3802.

Is there any reason or configuration options I should be looking out for that limits the results in downstream postprocess configurations?

1 Solution

brettcave
Builder

typical... spend hours trying to debug the problem with a search, post a question here, and then spot the mistake.

I had renamed a field in the stats (numUsers), and was referencing the old fieldname in a ... | fields numVisitors....

all results are now consistent.

View solution in original post

brettcave
Builder

typical... spend hours trying to debug the problem with a search, post a question here, and then spot the mistake.

I had renamed a field in the stats (numUsers), and was referencing the old fieldname in a ... | fields numVisitors....

all results are now consistent.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...