All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

HiddenPostProcess vs PostProcess ?

fk319
Builder
‎01-14-2013 01:15 PM

What is the difference between Splunk's HiddenPostProcess and Sideview Utils PostProcess ?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-14-2013 01:34 PM

The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.

Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).

You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.

NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-14-2013 01:34 PM

The most important difference is that the Sideview PostProcess module handles $foo$ tokens, whereas Splunk's HiddenPostProcess module does not. To break down what this means, with the Sideview PostProcess module you can put $selectedUser$ into the postProcess search, and if there's a module like a Pulldown upstream outputting that key, then the selected Pulldown value can be incorporated into the postProcess search. With the Splunk HiddenPostProcess module you can't include any dynamic tokens like this (even with intentions in the picture) and instead you're limited to whatever single static postprocess search string that the dashboard developer hardcoded into the view. While HiddenPostProcess has been a useful tool over the years even with that limitation, it is a big limitation.

Past that, there's a long tail of smaller improvements worth mentioning, mostly around all the $foo$ tokens that Sideview Utils adds to make life easier. There are keys like $search.timeRange.earliest$, $search.timeRange.latest$ to get the timebounds of the search, which might be relative, or relatime, or absolute. There are other keys like $results.sid$, $results.eventCount$, $results.scanCount$, and several others to get characteristics of the running job. For instance $results.timeRange.earliest$ and $results.timeRange.latest$ will give you the timerange of the running job, which is subtly different than the timerange of the search, primarily because the job's timerange will always be an absolute timerange, whereas the search timerange might be a relative range like (-24h,now).

You can also refer to the previously existing postProcess search from upstream as $postProcess$ within your PostProcess, which can be a useful trick. And like all Sideview modules, it offers you a customBehavior param in case you hit some weird case in advanced dashboard development where you need to cleanly extend the behavior with a few lines of your own Javascript.

NOTE: for anyone who might be slow to upgrade, many or most of these extra $foo$ tokens I mentioned are only going to be found in the 2.X versions of Sideview Utils, rather than the older 1.3.X version.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...