All Apps and Add-ons

[Sideview] How to use a search within a PostProcess that is located downstream to another different search

sridamg
Explorer

In the diagram below:

Search A
--Search B
----PostProcess

How can I use Search A in the PostProcess.

Thanks for your help.

1 Solution

sideview
SplunkTrust
SplunkTrust

I think I see. The easy solution would be to move Search A and Search B down into the relevant Tab. Of course this would make the searches (re)dispatch whenever the user changes the tab. My guess is this is the reason you're not writing the view this way - that you want the searches to dispatch once when the page loads and then not dispatch again.

What you can do then, is to use a ValueSetter module to save the sid of SearchA into a $foo$ token like so:

<module name="ValueSetter">
  <param name="arg.sidA">$results.sid$</param>

When search B comes along and clobbers everything about search A, this little $sidA$ token will survive. So you can then use that. Instead of using postprocess at all for search A, you can then use the loadjob command with that sid.

<module name="Search">
  <param name="search">loadjob $sidA$ | <your 'postprocess' commands go here></param>

loadjob is a little clunky, and I've seen some weird behavior from it over the years, but this should work perfectly well and give you the behavior you need.

View solution in original post

sideview
SplunkTrust
SplunkTrust

I think I see. The easy solution would be to move Search A and Search B down into the relevant Tab. Of course this would make the searches (re)dispatch whenever the user changes the tab. My guess is this is the reason you're not writing the view this way - that you want the searches to dispatch once when the page loads and then not dispatch again.

What you can do then, is to use a ValueSetter module to save the sid of SearchA into a $foo$ token like so:

<module name="ValueSetter">
  <param name="arg.sidA">$results.sid$</param>

When search B comes along and clobbers everything about search A, this little $sidA$ token will survive. So you can then use that. Instead of using postprocess at all for search A, you can then use the loadjob command with that sid.

<module name="Search">
  <param name="search">loadjob $sidA$ | <your 'postprocess' commands go here></param>

loadjob is a little clunky, and I've seen some weird behavior from it over the years, but this should work perfectly well and give you the behavior you need.

sridamg
Explorer

Sorry I am late to reply. This solution worked. Thank you so much.

0 Karma

sideview
SplunkTrust
SplunkTrust

What exactly about Search A do you need? Do you need a couple fields, and the results are a single-row? If so then the best way is to use a ResultsValueSetter in between Search A and Search B to pull down those values. If you want to run the whole postProcess search against Search A's results, it's best to reorganize the view a little, specify the postprocess string with a ValueSetter, and then simply use that ValueSetter's $foo$ token inside each PostProcess. There are probably some other options that I'm not thinking of, so let me know what you need exactly from search A.

0 Karma

sridamg
Explorer

Thank you so much for replying.

I have search A and search B running on completely different indexes. I have a TabSwitcher where I need to show results from each of these indexes in seperate tabs. Please consider the snippet below:

Search A
---ValueSetter ($search$ / $postprocess$)
------Search B
---------TabSwitcher
-------------PostProcess of A (no matter what I set in the valuesetter used at the top, and use that here, It takes search B as the main search, hence disrupting the results. I need to run this postprocess on search A.)
-------------PostProcess of B (successfully running on search B and showing results.)

0 Karma

sridamg
Explorer

I need all the results from search A, not just one row.

0 Karma

ngatchasandra
Builder

Hi,

Try to other this like follow example :

<module name="PostProcess">
   <param name="search">| stats count by username, host, error</param>

   ...
   <module name="PostProcess">
     <param name="search">$postProcess$ | stats sum(count) as count by username</param>

     ...
     <module name="PostProcess">
       <param name="search">$postProcess$ | where count>10 |</param>

In this case, the postProcesses modules are all operating on the same dispatched search, then you can in each case refer to the aggregate postProcess from upstream as $ postProcess $, pretty much anywhere.

0 Karma

sridamg
Explorer

But i have two searches one under another. How can i get $postProcess$ or $search$ of first search in the PostProcess that is actually the child of the second search. I think these variables will refer the second search by default, and not the first one.

0 Karma

ngatchasandra
Builder

I have not tested this,but try also with :

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">| stats count by username, host, error</param>

    ...
    <module name="PostProcess">
      <param name="search">$search$ | stats sum(count) as count by username</param>

      ...
      <module name="PostProcess">
        <param name="search">$postProcess$ | where count>10 |</param>
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...