All Apps and Add-ons

PostProcess dedups not functioning for a Pulldown

rjdargi
Explorer
<module name="Search">
<param name="search">index=test | stats count by FIELD1, FIELD2, FIELD3</param>    
<module name="PostProcess">
    <param name="search">| dedup FIELD2 | fields FIELD2</param>
    <module name="Pulldown">
        <param name="float">left</param>
        <param name="name">FIELD2</param>
        <param name="label">FIELD2</param>
        <param name="staticFieldsToDisplay">
        <list>
            <param name="label">*</param>
            <param name="value">*</param>
        </list>
        </param>
            <param name="searchFieldsToDisplay">
            <list>
                <param name="label">FIELD2</param>
                <param name="value">FIELD2</param>
            </list>
        </param>
    </module>
</module>

Let's say field 2 contains the following items:

  • groupa
  • groupa
  • groupb
  • groupb
  • groupd
  • testdataname

I would expect the pulldown to contain:

  • *
  • groupa
  • groupb
  • groupd
  • testdataname

What I'm instead getting is:

  • *
  • groupa
  • groupa
  • groupb
  • groupb
  • groupd
  • testdataname

I'm unsure if I'm missing something obvious here, but the "| dedup FIELD2" should be removing duplicates, yet the PostProcess is still containing this. I'm trying to run ~ 5-7 Pulldowns off a single search for the sake of speed, but even if I try a single search/postprocess pair as above, I'm getting the TOTAL contents of FIELD2 in the Pulldown rather than the UNIQUE items.

Is there a way to do this?

1 Solution

sideview
SplunkTrust
SplunkTrust

I'd try a couple things

1) upgrade to the latest Sideview Utils. I see some old legacy param names here that make me think you're using the ancient 1.3.5 version. There were some weird issues way back when and this might be one of those, I can't remember.

2) remove the PostProcess module entirely and try it with the postprocess param on the Pulldown module. ie <param name="postProcess">| dedup FIELD2</param>.

3) throw a <module name="Table"/> in right before the Pulldown.

And you can send a screenshot to nick [at] sideviewapps.com.

View solution in original post

sideview
SplunkTrust
SplunkTrust

I'd try a couple things

1) upgrade to the latest Sideview Utils. I see some old legacy param names here that make me think you're using the ancient 1.3.5 version. There were some weird issues way back when and this might be one of those, I can't remember.

2) remove the PostProcess module entirely and try it with the postprocess param on the Pulldown module. ie <param name="postProcess">| dedup FIELD2</param>.

3) throw a <module name="Table"/> in right before the Pulldown.

And you can send a screenshot to nick [at] sideviewapps.com.

sideview
SplunkTrust
SplunkTrust

OK. I'm still weirded out that the PostProcess module didn't seem to work. When you get a chance can you let me know what Sideview Utils version you were on?

0 Karma

rjdargi
Explorer

Sorry I didn't see this earlier -- yes, I am on the ancient 1.3.5 version.

0 Karma

sideview
SplunkTrust
SplunkTrust

OK Thanks. (and hey you should upgrade!) 😃

0 Karma

rjdargi
Explorer

Thanks for suggestion 2), I didn't realize the Pulldown module had an internal postProcess parameter. That fixed my issue and all is good.

Thanks!

0 Karma

rjdargi
Explorer

Yes, until I switch this to the Search->PostProcess setup, the searches work fine. Running as individual searches functions fine, but doesn't provide the end-user experience I want -- way too slow.

I'm also not seeing anything like trailing spaces in field values, either.

It seems to exclusively happen with Pulldowns, if I switch to building, say, SimpleResultsTables from the PostProcess then it's not an issue.

0 Karma

sideview
SplunkTrust
SplunkTrust

That is very strange. What you're doing should absolutely give you the results you expect. Whatever is causing this problem, it'll be something fun. Like maybe trailing space characters are sometimes on the field value?

What happens if you run this search in the normal search interface?

index=test | stats count by FIELD1, FIELD2, FIELD3 | dedup FIELD2

Do you get the results you expect there?

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...