Drilldown to a postprocess

sbsbb · ‎03-27-2013

I would like to have a table base on the main search, and that clicking on the row, would update the postprocess search string.

Goal is to display a postprocess table based on the fields from the selected source-table...

sideview · ‎03-27-2013

It's very easy using Sideview Utils, and not possible for a couple reasons using just the core UI.

Here's an example matching what you're asking. The first table displays unique combinations of group and series fields from the metrics data, and when you drilldown there's a second Table that renders information about just the series values for the selected row's group field, via PostProcess. All of the modules shown are Sideview modules.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_*_thruput"  | stats count by group series</param>
  <param name="earliest">-12h</param>

  <module name="Pager">
    <module name="Table">
      <module name="PostProcess">
        <param name="search">search group="$row.fields.group$" | stats count by series</param>
        <module name="Pager">
          <module name="Table" />
        </module>
      </module>
    </module>
  </module>
</module>

If you wanted to try and do this using core UI, you'd have one problem that Splunk's HiddenPostProcess can not incorporate any dynamic arguments, even with intentions, and also the Paginator module wouldn't account for the postProcess search so it wouldn't draw the right number of page links.

Here's another example, where I actually use a first PostProcess to dedup the 'group' fields. I feel this makes a little more sense interactively.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_*_thruput"  | stats count by group series</param>
  <param name="earliest">-12h</param>

  <module name="PostProcess">
    <param name="search">dedup group</param>

    <module name="Pager">
      <module name="Table">
        <module name="PostProcess">
          <param name="search">search group="$row.fields.group$" | stats count by series</param>
          <module name="Pager">
            <module name="Table" />
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

Note that you should make sure you're using the latest version, which is only available from the Sideview website. Sideview Utils is very actively developed and you should keep up to date to get the benefits of bugfixes and performance improvements, let alone new features. 😃

sideview · ‎03-28-2013

ddarmand: Basically because the licensing on Sideview Utils changed in 2.0. However it's still effectively free software for 99% of current users using it in their own Splunk deployments and in my opinion everyone using the old Splunkbase version in their internal Splunk deployments should be upgrading to latest.

sideview · ‎03-28-2013

You can look into the HTML module to just display a small number of field values very easily, by embedding $results[0].someFieldName$ anywhere in your HTML. Check out this docs page for the HTML module "Module Documentation> The HTML Module > Embedding HTML and including search results"

sbsbb · ‎03-28-2013

?? I'm already using the latest sideview...

My problem is that I want in my drilldown to make an spath on one of the row.fields... and I don't know how to do it

ddarmand · ‎03-28-2013

Why don't you update the version on splunk apps of sideview utils ?

sbsbb · ‎03-28-2013

Many thanks for that...
Could you explain me how to only display the content of one field from the search ? It is an XML field, and I want to make an spath in the postprocess.

In your example, your are grouping the results, I just want to display them... Or do I've missunderstood ?

Drilldown to a postprocess

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!