Hello Splunk and Sideview Utils experts,
I have a problem with nested searches that I hope someone here can help me with.
I'm using the Sideview Utils Search module for my main search, downstream of which are a few PostProcess modules to display the results. These all work great. One of the PostProcess modules passes through to a SimpleResultsTable, to which I'm attempting a drilldown to launch a new search - it's this search which I'm having difficulty with.
The outermost search just checks the access log:
host="(myHost)" source="access.log.*" request=/service/* status=200 | fields user duration request bytes
The PostProcess search amends the results of the Search to give a bit more detail on the breakdown by user:
chart count AS "Requests" sum(duration) AS "Total Duration" avg(duration) AS "Avg. Duration" sparkline(count) AS "Activity" by user
Inside this PostProcess I have a SimpleResultsTable:
row
Now, inside the SimpleResultsTable I'm trying to launch a whole new Search so that I can display another table showing requests broken down by user. The query doesn't bring back any results via the drilldown, even though it works as an independent search. I assume that the search is being performed against the results already passed down from the upstream search and postprocess, instead of against the full dataset. Here's the new search:
host="(myHost)" source="access.log.*" request="/service/*" status=200 user=$click.value$ | chart count avg(duration) AS "Avg Duration" sparkline(avg(duration)) AS "Duration Trend" avg(bytes) AS "Avg Bytes" sparkline(sum(bytes)) AS "Bytes Transferred Trend" by request
So, that search doesn't work, but if I use another nested PostProcess instead, the PostProcess runs ok - except that now I've no way (that I know of) to add in the user=$click.value$ filtering that I need in order to show the queries for each user. Here's the PostProcess search:
chart count avg(duration) AS "Avg Duration" sparkline(avg(duration)) AS "Duration Trend" avg(bytes) AS "Avg Bytes" sparkline(sum(bytes)) AS "Bytes Transferred Trend" by request
Any help anyone can offer with this would be greatly appreciated!
Thanks,
Andy.
... View more