- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Inline Drilldown & PostProcess
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inline Drilldown & PostProcess
Hi
I have a dashboard where I am drilling down based on user selection. I have a table which displays top 10 users based on their UI activity. Upon clicking, a timechart based on his runTime should come up for the same user.
- Base search includes stats count by user, runTime.
- 1st postProcess extracts top 10 users -> works fine
- 2nd postProcess based on $click.value$ defines a timechart -> doesn't work (gives "No results found").
FYI: I am using sideview utils.
Below is code snippet:
<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>User Activity via PostProcess</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="HTML" layoutPanel="viewHeader">
<param name="html">
<![CDATA[ <h1>User Activity via PostProcess</h1> ]]>
</param>
</module>
<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
<param name="keepURLUpdated">False</param>
<module name="TimeRangePicker">
<param name="selected">Last 24 hours</param>
<param name="searchWhenChanged">True</param>
<module name="Search" layoutPanel="panel_row2_col1">
<param name="search">`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time</param>
<module name="PostProcess">
<param name="search">| top 10 user</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>UI Search Activity by User</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="Pager">
<param name="entityName">results</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="displayRowNumbers">True</param>
<param name="entityName">results</param>
<module name="ValueSetter">
<param name="name">username</param>
<param name="value">$click.value$</param>
<module name="PostProcess">
<param name="search">$username$ | timechart eval(sum(run_time)/1000) by user</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>Timechart of user $username$</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="HiddenChartFormatter">
<param name="charting.chart">column</param>
<param name="charting.axisTitleY.text">Search time (seconds)</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
<module name="JSChart">
<module name="Search">
<param name="search">`set_audit_index` host=* action=search $username$ (id=* OR search_id=*) | eval search_id=if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search search_id!=rt_* search_id!=searchparsetmp* | rex "search='(?<search>.*?)', autojoin" | rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\[" | eval search=case(isnotnull(search),search,isnull(search) AND savedsearch_name!="", "Scheduled search name : ".savedsearch_name,isnull(search) AND savedsearch_name=="","SID : ".search_id) | convert num(total_run_time) | eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search_id=* search!=typeahead* search!="|history*" search!=*_internal* search!=*_audit* | search search_id!=subsearch_* | sort - total_run_time | rename total_run_time as "Search Run Time" | fields -
search_id</param>
<module name="HTML">
<param name="html">
<![CDATA[ <h1>Top searches by $username$</h1> ]]>
</param>
</module>
<module name="JobProgressIndicator" />
<module name="Pager">
<param name="entityName">results</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="displayRowNumbers">True</param>
<param name="entityName">results</param>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Technically your first postprocess isn't working correctly either although it may look approximately right. Your base search is
`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time
and then your postprocess search for top 10 users is just:
| top 10 user
However the top command just counts the number of incoming rows per user and ranks them according to that. In so doing it will not sum up the "count" field for each value of user, it will simply count incoming rows. So in this case because the base search ends with stats count by user, run_time, the top command will simply rank the users by how many distinct run_time values they each have which is probably not what you intended. You probably want to use a postprocess search of
| stats sum(run_time) as run_time by user
or possibly
| stats sum(count) as count by user
but I don't know which one is the one you mean.
2) As to the second postprocess search, the reason that's not working is that the postprocess search is:
$username$ | timechart eval(sum(run_time)/1000) by user
a) Since postprocess searches have to include the leading search command, (even if you intend the search search command), this is probably throwing an error. Unfortunately Splunk doesn't propagate this error anywhere, so the request will be quietly dying with an error 400 (bad request) or 500.
b) even search=bob wouldn't work here, because there is no longer any _raw text for the search command to check free-text search terms against. I think you mean user="$username$". You probably want to have a postprocess search here of:
search user=$username$ | timechart eval(sum(run_time)/1000) as seconds
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
