https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191965#M11994 <P>But wouldn't that mean, i am actually doing the search twice ? <BR /> I wanted to do the common part of the search just once and use the results twice(saving time).</P> Mon, 11 May 2015 14:30:39 GMT joydeep741 2015-05-11T14:30:39Z https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191963#M11992 <P>I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario<BR /> <STRONG>Query 1</STRONG><BR /> index=dotcom sourcetype=dotcom_access_log |eval traffictype= <BR /> case(<BR /> searchmatch("uri_path=<EM>/wcs/resources/store/10001</EM> AND NOT uri_path=<EM>kiosk</EM>"),"API HITS US", <BR /> searchmatch("uri_path=<EM>/wcs/resources/store/20001</EM> AND NOT uri_path=<EM>kiosk</EM>"),"API HITS CA", <BR /> searchmatch("uri_path=<EM>/cat_CL</EM> OR uri_path=<EM>/directory_</EM>"),"SEARCH HITS", <BR /> searchmatch("uri_path=<EM>/product_</EM>"),"PRODUCT PAGE HITS", <BR /> searchmatch("uri_path=<EM>daily*deals</EM>"),"DAILY DEALS HITS", <BR /> searchmatch("uri_path=<EM>kiosk</EM>"),"KIOSK HITS", 1==1, "DESKTOP HITS")<BR /><BR /> |timechart count by traffictype</P> <P><STRONG>Query 2</STRONG><BR /> index=dotcom sourcetype=dotcom_access_log |eval traffictype= <BR /> case(<BR /> searchmatch("uri_path=<EM>/wcs/resources/store/10001</EM> AND NOT uri_path=<EM>kiosk</EM>"),"API HITS US",<BR /> searchmatch("uri_path=<EM>/wcs/resources/store/20001</EM> AND NOT uri_path=<EM>kiosk</EM>"),"API HITS CA", <BR /> searchmatch("uri_path=<EM>/cat_CL</EM> OR uri_path=<EM>/directory_</EM>"),"SEARCH HITS", <BR /> searchmatch("uri_path=<EM>/product_</EM>"),"PRODUCT PAGE HITS", <BR /> searchmatch("uri_path=<EM>daily*deals</EM>"),"DAILY DEALS HITS", <BR /> searchmatch("uri_path=<EM>kiosk</EM>"),"KIOSK HITS", 1==1, "DESKTOP HITS")<BR /><BR /> |timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype</P> <P>I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.</P> Mon, 28 Sep 2020 19:56:20 GMT https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191963#M11992 joydeep741 2020-09-28T19:56:20Z https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191964#M11993 <P>Probably macros should the job for you.</P> <P>Create a macro for your common search like this:</P> <P><CODE>index=dotcom sourcetype=dotcom_access_log |eval traffictype=<BR /> case(<BR /> searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",<BR /> searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",<BR /> searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",<BR /> searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",<BR /> searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",<BR /> searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")</CODE> to a macro named as you need.</P> <P>And you can call it in search like this:</P> <P><CODE>(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype</CODE><BR /> <CODE>(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype</CODE></P> <P>You can know more about macro <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Usesearchmacros?r=searc">here</A>.</P> Mon, 11 May 2015 14:06:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191964#M11993 krish3 2015-05-11T14:06:06Z https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191965#M11994 <P>But wouldn't that mean, i am actually doing the search twice ? <BR /> I wanted to do the common part of the search just once and use the results twice(saving time).</P> Mon, 11 May 2015 14:30:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191965#M11994 joydeep741 2015-05-11T14:30:39Z https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191966#M11995 <P>Try doing both <CODE>timechart</CODE> functions in one base operation, and then in your postprocesses filter out the fields you want.</P> <P>Base search:</P> <PRE><CODE>... big common search | timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype </CODE></PRE> <P>Postprocess 1:</P> <PRE><CODE>| fields _time count* </CODE></PRE> <P>Postprocess 2:</P> <PRE><CODE>| fields _time "Response Time*" </CODE></PRE> Mon, 11 May 2015 15:48:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191966#M11995 aweitzman 2015-05-11T15:48:27Z https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191967#M11996 <P>Thanks. That worked..!!</P> Tue, 12 May 2015 04:45:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/implementing-searchPostProcess/m-p/191967#M11996 joydeep741 2015-05-12T04:45:36Z