All Apps and Add-ons

How do I Paginate search results and PostProcess the paginated results

ahogrefe
Engager

Hi,
I have to create a dashboard that displays results in columns, one column per day. Like:

System | 2015.01.01 | 2015.01.02 | 2015.01.03
A | 4711 | 4712 | 4713
B | 0815 | 0816 | 0817
C | 0815 | 0816 | 0817
D | 0815 | 0816 | 0817
E | 0815 | 0816 | 0817
...
The Cells have to be colored depending on the value. The Pagination has to be n-columns per Page. Number of Days and TimeRange is unknown before the start of the search. My Idea was:
1. Get the results in a row per day
2. Paginate the results
3. Do a PostProcess (Append Rows with format information and transpose the results)
4. Display the Table with paginated days as columns

The Code looks like this:

    <view isSticky="False" isVisible="false" onunloadCancelJobs="true" template="dashboard.html">
       <module name="SideviewUtils" layoutPanel="appHeader">
       </module>

       <module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
          <param name="keepURLUpdated">True</param>
             <module name="SavedSearch" layoutPanel="panel_row2_col1"> 
             <param name="name">
                          The_Search_that_returns_the_Values_with_each_Day_as_a_Row
             </param>
             <module name="JobProgressIndicator">
               <module name="Pager">
                   <param name="count">3</param> 
                        <module name="PostProcess"><param name="search">
| The_Search_that_transposes_the_Table_and_hopefully_enables_column_pagination
                              </param>
                      <module name="Table">
                          <param name="rowClass">   col_02-$row.fields.formatCol_1$
                                                        col_03-$row.fields.formatCol_2$
                                                                                                        [...]
                                  </param>
                                  <param name="hiddenFields">formatCol_1 formatCol_2 [...] </param>
                                  <param name="count">25</param>
                               </module>
                            </module>
                         </module>
                  </module>
                   </module>
              </module> 
        </view>

Works not like supposed, the results of the first search are all transposed and the resulting Table looks like this:

<- 1, 2, 3, ... ->
System | 2015.01.01 | 2015.01.02 | 2015.01.03
A | 4711 | 4712 | 4713
B | 0815 | 0816 | 0817
C | 0815 | 0816 | 0817

I wanted that result:

<- 1, 2, 3, ... ->
System | 2015.01.01 | 2015.01.02
A | 4711 | 4712
B | 0815 | 0816
C | 0815 | 0816
D | 0815 | 0816
E | 0815 | 0816
...

It seems like the Pagination waits untill all search has been finished and then starts to paginate. Also the number of Rows in that table seems to be set by the Pagination. Is there a way to work around this?

Thanx in advance and happy splunking 😉

Cheers!

sideview
SplunkTrust
SplunkTrust

I'm afraid I don't actually think there's a way to do this. Postprocess searches are applied to all of the rows, and although postprocess searches can arbitrarily transform and change the results into some other set of rows, ultimately the pagination is always going to just page row-wise through those rows.

If you could accept a restriction that the number of rows were fixed at some number like 10, then we could hack some of this use case, in that we could use the search language to create "fields" for the first N days on rows 1-10, and then fields starting at 2N-1 for rows 11-20, fields corresponding to the next days starting at row 21 etc. Then when you paged through the rows, the column headers would appear to change.

But as for the broader question of making the "results per page" turn into "columns per page", pagination and postprocess would have to work fundamentally differently to do so.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...