topic Re: Post search stucks in Splunk Search

Post search stucks

stwong — Fri, 06 Jan 2017 10:08:22 GMT

Hi,

I tried to use post search to populate list options:

    <search id="baseSearch">
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" 
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
    </search>
    <fieldset submitButton="false">
    <input type="time" token="field2">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search base="baseSearch">
        <query>
          stats count by deptcode
        </query>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input>
  </fieldset>

However, using single search works as expected:

    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search>
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" | stats count by deptcode
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input

Post search in panels in the same form also not working. Would anyone please help?
Sorry for the newbie question.

Thanks a lot.
Regards,
/ST Wong

Re: Post search stucks

renjith_nair — Fri, 06 Jan 2017 10:32:04 GMT

Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding

your search | fields deptcode,other fields>

Re: Post search stucks

stwong — Fri, 06 Jan 2017 11:03:13 GMT

Thanks. The drop down list works after appending "fields" to the base search. May I know the reason behind?

However, post search in panels still not working (just "waiting for data"). e.g.

    <panel>
      <title>Time distribution of browser for department $d_name$</title>
      <chart>
        <search base="baseSearch">
          <query>
            search deptcode=$d_name$ | rename useragent as http_user_agent | lookup user_agents http_user_agent | timechart count by ua_family usenull=f useother=f
          </query>
        </search>

Again, using full search instead of base+post search works before. Would you help again?

Thanks a lot.

Re: Post search stucks

renjith_nair — Fri, 06 Jan 2017 11:23:19 GMT

See the details of search mode here : http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changethesearchmode

The user field extraction might not get effected when it runs in smart/fast mode.

For your second issue, try the same trick by adding fields at the end of drop down search

ie :

stats count by deptcode|fields deptcode

If it's not working , click on the search icon on the panel (below) and see what's the final search it's running. From there you will be able to identify

Re: Post search stucks

stwong — Fri, 06 Jan 2017 15:33:13 GMT

Got it. Passing more fields in base search makes post search work, however, the time range earliest and latest nodes specified in base search can't be passed to post searches. I also can't specify or nodes in post search (gives unknown node error if i specify them in post search). Probably something else is missed in my code....

Re: Post search stucks

stwong — Tue, 29 Sep 2020 12:19:10 GMT

Sorry that i accidentally added token="xxx" in time picker instead of using default time_tok. It works after removing the token field.
Somes post-process searches can only use default time_tok, right?