All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PostProcess search filters seem to be missing results (sideview)

brettcave
Builder
‎08-19-2013 07:49 AM

hi,

I'm building a dashboard using the awesome Sideview Utils, but in my view, I seem to be missing data. My view has the following structure:

<search>
    <postprocess>
    <postprocess>
    <postprocess>
    <postprocess>

each postprocess has a pager->table to render results. the base search returns results from stats:

... | stats latest(x) as x latest(y) as y latest(z) as z by UserID

And then each PostProcess looks at different fields, for e.g.

eval segment1=case(isnull(x),"None",x&gt;10,"Big",x=0,"None") | stats dc(UserID) as NumUsers by segment1 | addcoltotals labelfield=segment1 label=TOTAL

And then the 2nd PostProcess will segment based on "y". the above is a really simplified example of what the actual search is doing, but they all have a similar approach: segment according to a field, and then run through stats by the segmentation field. When I run the view, I get inconsistent numbers - all 4 postprocesses should come up with the same number of users in the total, but 1 & 2 return 3802 users (correct), while the 3rd and 4th postprocess returns "308". I've added "$search$" to a debug panel and run the 3rd of 4th postprocess appended to the actual search, and when I run as a standard search, I get the correct number of results - 3802.

Is there any reason or configuration options I should be looking out for that limits the results in downstream postprocess configurations?

Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎08-19-2013 08:02 AM

typical... spend hours trying to debug the problem with a search, post a question here, and then spot the mistake.

I had renamed a field in the stats (numUsers), and was referencing the old fieldname in a ... | fields numVisitors....

all results are now consistent.

View solution in original post

Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎08-19-2013 08:02 AM

typical... spend hours trying to debug the problem with a search, post a question here, and then spot the mistake.

I had renamed a field in the stats (numUsers), and was referencing the old fieldname in a ... | fields numVisitors....

all results are now consistent.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...