I have a dashboard where I am drilling down based on user selection. I have a table which displays top 10 users based on their UI activity. Upon clicking, a timechart based on his runTime should come up for the same user.
Base search includes stats count by user, runTime.
1st postProcess extracts top 10 users -> works fine
2nd postProcess based on $click.value$ defines a timechart -> doesn't work (gives "No results found").
1) Technically your first postprocess isn't working correctly either although it may look approximately right. Your base search is
`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time
and then your postprocess search for top 10 users is just:
| top 10 user
However the top command just counts the number of incoming rows per user and ranks them according to that. In so doing it will not sum up the "count" field for each value of user, it will simply count incoming rows. So in this case because the base search ends with stats count by user, run_time, the top command will simply rank the users by how many distinct run_time values they each have which is probably not what you intended. You probably want to use a postprocess search of
| stats sum(run_time) as run_time by user
| stats sum(count) as count by user
but I don't know which one is the one you mean.
2) As to the second postprocess search, the reason that's not working is that the postprocess search is:
$username$ | timechart eval(sum(run_time)/1000) by user
a) Since postprocess searches have to include the leading search command, (even if you intend the search search command), this is probably throwing an error. Unfortunately Splunk doesn't propagate this error anywhere, so the request will be quietly dying with an error 400 (bad request) or 500.
b) even search=bob wouldn't work here, because there is no longer any _raw text for the search command to check free-text search terms against. I think you mean user="$username$". You probably want to have a postprocess search here of:
search user=$username$ | timechart eval(sum(run_time)/1000) as seconds