All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I direct a Sideview Table module to display last "results.count" rows of search results instead of the first rows?

dtonder
New Member
‎06-28-2015 05:21 PM

I have a search that returns returns say 1 to 1000 rows, and I want to display the LAST 10 (or n) (or fewer, if there are <10 rows returned) instead of the FIRST 10 (assuming results.count is 10). I was trying to manipulate results.offset dynamically with a ValueSetter, with no luck. I don't really want to reverse sort the data.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-30-2015 09:50 AM

Just use PostProcess to reverse the result set. Hopefully your unwillingness to use reverse was more of an unwillingness to use reverse in the base search? Otherwise I don't really see the drawback if there are only 1000 rows. 

<module name="PostProcess">
  <param name="search">reverse</param>

  <module name="Pager">
    <module name="Table" />
  </module>
</module>

Technically, you probably could manipulate $results.offset$ and $results.count$ as they come off the Pager, but before they hit the Table, but you're going to have to dispatch a stats count search to do it, or write a JS customBehavior, and either of those seem like a worse idea than a reverse. =/

0 Karma
Reply

dtonder
New Member
‎07-09-2015 08:45 AM

Thanks for the answer/feedback. The data is coming in a timechart with oerformance statistics in 5 minute intervals ... and I think of it being ordered oldest to newest with the newest at the bottom.... and that's how I would normally view it.. I'm most interested in the most recent 50 or 60 minutes worth of data from a display/dashboard real estate perspective, but I may want to page back to see a historical view (the search might return most recent 3 or 5 hours of 5 minute intervals). I tried messing with $results.offset$ and $results.count$ pager/table/values but debug showed that they seemed to be getting the values that were there "before" the the query/rendering completed, if that makes sense. Admittedly I don't have my head wrapped around all of the intricacies of how and when stuff gets processed, so not ready to tackle custom behaviors yet. Thanks.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-09-2015 09:09 PM

Cool. Well the PostProcess should give you what you want. There are some pretty thorough docs in Sideview Utils about using PostProcess in general. They go into detail about situations with a little more going on than this, but still worth reading.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...