All Apps and Add-ons

Sideview PostProcess returning no results

BryanBerry
Path Finder

Firstly, see my pastebin

Base search:

sourcetype=applog source!=*jboss-*GA/* | transaction transactionid keepevicted=t | fields _time, ResponseType, RequestType, PlatformName, ErrorMessage, exception, exception_message

PostProcess1:

search ResponseType="ERROR_SERVER" | table _time, RequestType, exception, exception_message, ErrorMessage

PostProcess2:

search ResponseType="ERROR_UNKNOWN" | table _time, ErrorMessage, PlatformName, exception

Neither Table module shows results for its respective PostProcess.

I know some questions are going to come up regarding why I'm doing it this way. I understand my method of accomplishing this may not be the best, so please offer suggestions for improvement.

Why am I just grabbing transaction'ed events for my base search? The data I need to display won't appear in the event that has ResponseType=ERROR_SERVER or ResponseType=ERROR_UNKNOWN. It will appear in another event with the same transactionid. If you can think of a better way to put the data together, please tell me.

Why am I using keepevicted=t? No clue. I don't get results when I don't have that in there. Educate me?

Why am I adding fields at the end of my base search? Per the PostProcess documentation in the Sideview app, Splunk will discard fields from the base search that it has deemed unimportant. By explicitly telling Splunk that I want those fields, I think that should bypass that problem. Maybe I'm wrong?

So yeah, no idea why I'm not getting results. Running the base search in combination with the PostProcess does yield results. Help?

1 Solution

sideview
SplunkTrust
SplunkTrust

I would just back up and check basic assumptions. This dashboard runs over last 4 hours, so make sure when you run the combined baseSearch+postProcess search in another window, that the timeranges match. And make sure your field extractions are actually in the same app as the dashboard. I know these are kind of obvious suggestions but I suspect it'll be something like that. I put together a little testcase for this, basing it off your example but running against _internal data, with transaction and postprocess etc, it worked fine.

It's good you checked by running the baseSearch concatenated with the postProcess search. That is a great sanity check.

Maybe change the "fields" to "table" in the base search, but like I said I just ran a little testcase here and it seemed fine... Maybe try and see if rigging up a similar example but against internal data works... transaction might be doing something really weird in your particular data. =/

There was also a lot of unnecessary nesting and redundant JobProgressIndicators in that XML so I cleaned it up for you here:
http://pastebin.com/hE5c3LAe

All that redundant nesting wasn't really having a negative effect but it makes the XML look way more complicated.

View solution in original post

sideview
SplunkTrust
SplunkTrust

I would just back up and check basic assumptions. This dashboard runs over last 4 hours, so make sure when you run the combined baseSearch+postProcess search in another window, that the timeranges match. And make sure your field extractions are actually in the same app as the dashboard. I know these are kind of obvious suggestions but I suspect it'll be something like that. I put together a little testcase for this, basing it off your example but running against _internal data, with transaction and postprocess etc, it worked fine.

It's good you checked by running the baseSearch concatenated with the postProcess search. That is a great sanity check.

Maybe change the "fields" to "table" in the base search, but like I said I just ran a little testcase here and it seemed fine... Maybe try and see if rigging up a similar example but against internal data works... transaction might be doing something really weird in your particular data. =/

There was also a lot of unnecessary nesting and redundant JobProgressIndicators in that XML so I cleaned it up for you here:
http://pastebin.com/hE5c3LAe

All that redundant nesting wasn't really having a negative effect but it makes the XML look way more complicated.

BryanBerry
Path Finder

Table instead of fields is what did it. Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...