All Apps and Add-ons

combining savedsearch and postProcess does not work

aragavan
Explorer

I am new to splunk and i am trying the following
get a value from PullDown list
do a savedSearch
do postProcess by using the value selected from the drop down. the value is one of the eventtype
But i always get the output of the savedSearch and post processing seems to be not happening.
For postProcess search, i tried
| eventtype=$envtype$
search eventtype=$envtype$
eventtype=$envtype$
Can anyone throw some light here ?





TrunkFarm
Trunk


TestFarm
Integration


envtype
Environment:

    <module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="savedSearch">TransactionLogCountandDurationforTestServicesGen</param>
      <module name="PostProcess" layoutPanel="panel_row1_col1" autoRun="True">
     <param name="search">search eventtype=$envtype$</param>
   <module name="SimpleResultsHeader">
     <param name="entityName">results</param>
     <param name="headerFormat">$time$ - Updates every 5 minutes</param>
   </module>
  </module>

asimagu
Builder

try the Hidden Search module and put in there the code for your saved search

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">THE_CODE_FOR_YOUR_PRETTY_SEARCH_GOES_HERE</param>
      <module name="PostProcess" layoutPanel="panel_row1_col1" autoRun="True">
     <param name="search">search eventtype=$envtype$</param>
   <module name="SimpleResultsHeader">
     <param name="entityName">results</param>
     <param name="headerFormat">$time$ - Updates every 5 minutes</param>
   </module>
....
...
0 Karma

sideview
SplunkTrust
SplunkTrust

HiddenSavedSearch and PostProcess work together perfectly well. However there are a number of common pitfalls around the use of postProcess searches in general.

0 Karma

asimagu
Builder

I believe HiddenSavedSearch and postprocess cannot work together

0 Karma

aragavan
Explorer

its working but using HiddenSearch is slow compared to HiddenSavedSearch, looking to better my dashboard.

0 Karma

sideview
SplunkTrust
SplunkTrust

There are a number of common pitfalls around using postprocess with Splunk, and all of them are pretty well explained in the Sideview Utils documentation under "Key Techniques > Using PostProcess > Introduction".

The most likely problem here is that the search language in your savedsearch does not actually refer to the eventtype field in any way. This means that Splunk will not extract that field, and when the postprocess comes along later, it wont be there.

If it's not that pitfall though, it'll be one of the other ones described again on that docs page.

Make sure you're on the latest Sideview Utils because there are constantly improvements happening not just to the modules and tools but also to the documentation! The current version is 2.4.10 and you can add yourself to the mailing list to get notified whenever there are new releases (http://sideviewapps.com/apps/sideview-utils/mailing-list/)

and download 2.4.10 from the Sideview site here: http://sideviewapps.com/apps/sideview-utils/

0 Karma

sideview
SplunkTrust
SplunkTrust

Hm. I wonder if eventtypes work differently. Can you try putting | fields eventtype * on the end of your saved search and seeing what happens? It will have no effect on the search results other than reordering them, and it will definitely tell splunk not only that it has to expand that one eventtype, but that it has to run and calculate summaries for all eventtypes.

0 Karma

aragavan
Explorer

thanks ,my savedSearch starts like this
index=exp eventtype=TrunkFarm OR eventtype=TestFarm sourcetype="tracelog" ...
so my savedsearch does refer to "eventtype" which i am trying in my postProcess search param.

I'll read Sideview document you suggested.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...