All Apps and Add-ons
Highlighted

[Sideview] How to use a search within a PostProcess that is located downstream to another different search

Explorer

In the diagram below:

Search A
--Search B
----PostProcess

How can I use Search A in the PostProcess.

Thanks for your help.

Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

Hi,

Try to other this like follow example :

<module name="PostProcess">
   <param name="search">| stats count by username, host, error</param>

   ...
   <module name="PostProcess">
     <param name="search">$postProcess$ | stats sum(count) as count by username</param>

     ...
     <module name="PostProcess">
       <param name="search">$postProcess$ | where count>10 |</param>

In this case, the postProcesses modules are all operating on the same dispatched search, then you can in each case refer to the aggregate postProcess from upstream as $ postProcess $, pretty much anywhere.

0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

Explorer

But i have two searches one under another. How can i get $postProcess$ or $search$ of first search in the PostProcess that is actually the child of the second search. I think these variables will refer the second search by default, and not the first one.

0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

I have not tested this,but try also with :

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">| stats count by username, host, error</param>

    ...
    <module name="PostProcess">
      <param name="search">$search$ | stats sum(count) as count by username</param>

      ...
      <module name="PostProcess">
        <param name="search">$postProcess$ | where count>10 |</param>
0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

SplunkTrust
SplunkTrust

What exactly about Search A do you need? Do you need a couple fields, and the results are a single-row? If so then the best way is to use a ResultsValueSetter in between Search A and Search B to pull down those values. If you want to run the whole postProcess search against Search A's results, it's best to reorganize the view a little, specify the postprocess string with a ValueSetter, and then simply use that ValueSetter's $foo$ token inside each PostProcess. There are probably some other options that I'm not thinking of, so let me know what you need exactly from search A.

0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

Explorer

Thank you so much for replying.

I have search A and search B running on completely different indexes. I have a TabSwitcher where I need to show results from each of these indexes in seperate tabs. Please consider the snippet below:

Search A
---ValueSetter ($search$ / $postprocess$)
------Search B
---------TabSwitcher
-------------PostProcess of A (no matter what I set in the valuesetter used at the top, and use that here, It takes search B as the main search, hence disrupting the results. I need to run this postprocess on search A.)
-------------PostProcess of B (successfully running on search B and showing results.)

0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

Explorer

I need all the results from search A, not just one row.

0 Karma
Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

SplunkTrust
SplunkTrust

I think I see. The easy solution would be to move Search A and Search B down into the relevant Tab. Of course this would make the searches (re)dispatch whenever the user changes the tab. My guess is this is the reason you're not writing the view this way - that you want the searches to dispatch once when the page loads and then not dispatch again.

What you can do then, is to use a ValueSetter module to save the sid of SearchA into a $foo$ token like so:

<module name="ValueSetter">
  <param name="arg.sidA">$results.sid$</param>

When search B comes along and clobbers everything about search A, this little $sidA$ token will survive. So you can then use that. Instead of using postprocess at all for search A, you can then use the loadjob command with that sid.

<module name="Search">
  <param name="search">loadjob $sidA$ | <your 'postprocess' commands go here></param>

loadjob is a little clunky, and I've seen some weird behavior from it over the years, but this should work perfectly well and give you the behavior you need.

View solution in original post

Highlighted

Re: [Sideview] How to use a search within a PostProcess that is located downstream to another different search

Explorer

Sorry I am late to reply. This solution worked. Thank you so much.

0 Karma