All Apps and Add-ons

Inline Drilldown & PostProcess

ashishrathore
Explorer

Hi
I have a dashboard where I am drilling down based on user selection. I have a table which displays top 10 users based on their UI activity. Upon clicking, a timechart based on his runTime should come up for the same user.

  • Base search includes stats count by user, runTime.
  • 1st postProcess extracts top 10 users -> works fine
  • 2nd postProcess based on $click.value$ defines a timechart -> doesn't work (gives "No results found").

FYI: I am using sideview utils.

Below is code snippet:

<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
    <label>User Activity via PostProcess</label>
    <module name="AccountBar" layoutPanel="appHeader" />
    <module name="AppBar" layoutPanel="appHeader" />
    <module name="SideviewUtils" layoutPanel="appHeader" />
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="maxSize">2</param>
        <param name="clearOnJobDispatch">False</param>
    </module>
    <module name="HTML" layoutPanel="viewHeader">
        <param name="html">
            <![CDATA[ <h1>User Activity via PostProcess</h1> ]]>
</param>
    </module>
    <module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
        <param name="keepURLUpdated">False</param>
        <module name="TimeRangePicker">
            <param name="selected">Last 24 hours</param>
            <param name="searchWhenChanged">True</param>
            <module name="Search" layoutPanel="panel_row2_col1">
                <param name="search">`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?&lt;run_time&gt;\d+)ms"| bin _time span=15min | stats count by user, run_time</param>
                <module name="PostProcess">
                    <param name="search">| top 10 user</param>
                    <module name="HTML">
                        <param name="html">
                            <![CDATA[ <h1>UI Search Activity by User</h1> ]]>
</param>
                    </module>
                    <module name="JobProgressIndicator" />
                    <module name="Pager">
                        <param name="entityName">results</param>
                        <module name="ViewRedirectorLink">
                            <param name="viewTarget">flashtimeline</param>
                            <param name="popup">true</param>
                        </module>
                        <module name="SimpleResultsTable">
                            <param name="drilldown">row</param>
                            <param name="displayRowNumbers">True</param>
                            <param name="entityName">results</param>
                            <module name="ValueSetter">
                                <param name="name">username</param>
                                <param name="value">$click.value$</param>
                                <module name="PostProcess">
                                    <param name="search">$username$ | timechart eval(sum(run_time)/1000) by user</param>
                                    <module name="HTML">
                                        <param name="html">
                                            <![CDATA[ <h1>Timechart of user $username$</h1> ]]>
</param>
                                    </module>
                                    <module name="JobProgressIndicator" />
                                    <module name="HiddenChartFormatter">
                                        <param name="charting.chart">column</param>
                                        <param name="charting.axisTitleY.text">Search time (seconds)</param>
                                        <param name="charting.chart.stackMode">stacked</param>
                                        <module name="ViewRedirectorLink">
                                            <param name="viewTarget">flashtimeline</param>
                                            <param name="popup">true</param>
                                        </module>
                                        <module name="JSChart">
                                            <module name="Search">
                                                <param name="search">`set_audit_index` host=* action=search $username$ (id=* OR search_id=*) | eval search_id=if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search search_id!=rt_* search_id!=searchparsetmp* | rex "search='(?&lt;search&gt;.*?)', autojoin" | rex "savedsearch_name=\"(?&lt;savedsearch_name&gt;.*?)\"\]\[" | eval search=case(isnotnull(search),search,isnull(search) AND savedsearch_name!="", "Scheduled search name : ".savedsearch_name,isnull(search) AND savedsearch_name=="","SID : ".search_id) | convert num(total_run_time) | eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search_id=* search!=typeahead* search!="|history*" search!=*_internal* search!=*_audit* | search search_id!=subsearch_* | sort - total_run_time | rename total_run_time as "Search Run Time" | fields -
                                                search_id</param>
                                                <module name="HTML">
                                                    <param name="html">
                                                        <![CDATA[  <h1>Top searches by $username$</h1> ]]>
</param>
                                                </module>
                                                <module name="JobProgressIndicator" />
                                                <module name="Pager">
                                                    <param name="entityName">results</param>
                                                    <module name="SimpleResultsTable">
                                                        <param name="drilldown">row</param>
                                                        <param name="displayRowNumbers">True</param>
                                                        <param name="entityName">results</param>
                                                    </module>
                                                </module>
                                                <module name="ViewRedirectorLink">
                                                    <param name="viewTarget">flashtimeline</param>
                                                    <param name="popup">true</param>
                                                </module>
                                            </module>
                                        </module>
                                    </module>
                                </module>
                            </module>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</view>

sideview
SplunkTrust
SplunkTrust

1) Technically your first postprocess isn't working correctly either although it may look approximately right. Your base search is

`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time

and then your postprocess search for top 10 users is just:

| top 10 user

However the top command just counts the number of incoming rows per user and ranks them according to that. In so doing it will not sum up the "count" field for each value of user, it will simply count incoming rows. So in this case because the base search ends with stats count by user, run_time, the top command will simply rank the users by how many distinct run_time values they each have which is probably not what you intended. You probably want to use a postprocess search of

| stats sum(run_time) as run_time by user

or possibly

| stats sum(count) as count by user

but I don't know which one is the one you mean.

2) As to the second postprocess search, the reason that's not working is that the postprocess search is:

$username$ | timechart eval(sum(run_time)/1000) by user

a) Since postprocess searches have to include the leading search command, (even if you intend the search search command), this is probably throwing an error. Unfortunately Splunk doesn't propagate this error anywhere, so the request will be quietly dying with an error 400 (bad request) or 500.

b) even search=bob wouldn't work here, because there is no longer any _raw text for the search command to check free-text search terms against. I think you mean user="$username$". You probably want to have a postprocess search here of:

search user=$username$ | timechart eval(sum(run_time)/1000) as seconds

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!