Hi
I have a dashboard where I am drilling down based on user selection. I have a table which displays top 10 users based on their UI activity. Upon clicking, a timechart based on his runTime should come up for the same user.
FYI: I am using sideview utils.
Below is code snippet:
<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>User Activity via PostProcess</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="HTML" layoutPanel="viewHeader">
<param name="html">
<![CDATA[ <h1>User Activity via PostProcess</h1> ]]>
</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
<param name="keepURLUpdated">False</param>
<module name="TimeRangePicker">
<param name="selected">Last 24 hours</param>
<param name="searchWhenChanged">True</param>
<module name="Search" layoutPanel="panel_row2_col1">
<param name="search">`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time</param>
<module name="PostProcess">
<param name="search">| top 10 user</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>UI Search Activity by User</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="Pager">
<param name="entityName">results</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="displayRowNumbers">True</param>
<param name="entityName">results</param>
<module name="ValueSetter">
<param name="name">username</param>
<param name="value">$click.value$</param>
<module name="PostProcess">
<param name="search">$username$ | timechart eval(sum(run_time)/1000) by user</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>Timechart of user $username$</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="HiddenChartFormatter">
<param name="charting.chart">column</param>
<param name="charting.axisTitleY.text">Search time (seconds)</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
<module name="JSChart">
<module name="Search">
<param name="search">`set_audit_index` host=* action=search $username$ (id=* OR search_id=*) | eval search_id=if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search search_id!=rt_* search_id!=searchparsetmp* | rex "search='(?<search>.*?)', autojoin" | rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\[" | eval search=case(isnotnull(search),search,isnull(search) AND savedsearch_name!="", "Scheduled search name : ".savedsearch_name,isnull(search) AND savedsearch_name=="","SID : ".search_id) | convert num(total_run_time) | eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search_id=* search!=typeahead* search!="|history*" search!=*_internal* search!=*_audit* | search search_id!=subsearch_* | sort - total_run_time | rename total_run_time as "Search Run Time" | fields -
search_id</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>Top searches by $username$</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="Pager">
<param name="entityName">results</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="displayRowNumbers">True</param>
<param name="entityName">results</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
1) Technically your first postprocess isn't working correctly either although it may look approximately right. Your base search is
`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time
and then your postprocess search for top 10 users is just:
| top 10 user
However the top command just counts the number of incoming rows per user and ranks them according to that. In so doing it will not sum up the "count" field for each value of user, it will simply count incoming rows. So in this case because the base search ends with stats count by user, run_time
, the top command will simply rank the users by how many distinct run_time values they each have which is probably not what you intended. You probably want to use a postprocess search of
| stats sum(run_time) as run_time by user
or possibly
| stats sum(count) as count by user
but I don't know which one is the one you mean.
2) As to the second postprocess search, the reason that's not working is that the postprocess search is:
$username$ | timechart eval(sum(run_time)/1000) by user
a) Since postprocess searches have to include the leading search command, (even if you intend the search
search command), this is probably throwing an error. Unfortunately Splunk doesn't propagate this error anywhere, so the request will be quietly dying with an error 400 (bad request) or 500.
b) even search=bob
wouldn't work here, because there is no longer any _raw text for the search command to check free-text search terms against. I think you mean user="$username$"
. You probably want to have a postprocess search here of:
search user=$username$ | timechart eval(sum(run_time)/1000) as seconds