All Apps and Add-ons
Highlighted

combining savedsearch and postProcess does not work

Explorer

I am new to splunk and i am trying the following
get a value from PullDown list
do a savedSearch
do postProcess by using the value selected from the drop down. the value is one of the eventtype
But i always get the output of the savedSearch and post processing seems to be not happening.
For postProcess search, i tried
| eventtype=$envtype$
search eventtype=$envtype$
eventtype=$envtype$
Can anyone throw some light here ?





TrunkFarm
Trunk


TestFarm
Integration


envtype
Environment:

    <module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="savedSearch">TransactionLogCountandDurationforTestServicesGen</param>
      <module name="PostProcess" layoutPanel="panel_row1_col1" autoRun="True">
     <param name="search">search eventtype=$envtype$</param>
   <module name="SimpleResultsHeader">
     <param name="entityName">results</param>
     <param name="headerFormat">$time$ - Updates every 5 minutes</param>
   </module>
  </module>
Highlighted

Re: combining savedsearch and postProcess does not work

SplunkTrust
SplunkTrust

There are a number of common pitfalls around using postprocess with Splunk, and all of them are pretty well explained in the Sideview Utils documentation under "Key Techniques > Using PostProcess > Introduction".

The most likely problem here is that the search language in your savedsearch does not actually refer to the eventtype field in any way. This means that Splunk will not extract that field, and when the postprocess comes along later, it wont be there.

If it's not that pitfall though, it'll be one of the other ones described again on that docs page.

Make sure you're on the latest Sideview Utils because there are constantly improvements happening not just to the modules and tools but also to the documentation! The current version is 2.4.10 and you can add yourself to the mailing list to get notified whenever there are new releases (http://sideviewapps.com/apps/sideview-utils/mailing-list/)

and download 2.4.10 from the Sideview site here: http://sideviewapps.com/apps/sideview-utils/

0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

Explorer

thanks ,my savedSearch starts like this
index=exp eventtype=TrunkFarm OR eventtype=TestFarm sourcetype="tracelog" ...
so my savedsearch does refer to "eventtype" which i am trying in my postProcess search param.

I'll read Sideview document you suggested.

0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

SplunkTrust
SplunkTrust

Hm. I wonder if eventtypes work differently. Can you try putting | fields eventtype * on the end of your saved search and seeing what happens? It will have no effect on the search results other than reordering them, and it will definitely tell splunk not only that it has to expand that one eventtype, but that it has to run and calculate summaries for all eventtypes.

0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

Builder

try the Hidden Search module and put in there the code for your saved search

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">THE_CODE_FOR_YOUR_PRETTY_SEARCH_GOES_HERE</param>
      <module name="PostProcess" layoutPanel="panel_row1_col1" autoRun="True">
     <param name="search">search eventtype=$envtype$</param>
   <module name="SimpleResultsHeader">
     <param name="entityName">results</param>
     <param name="headerFormat">$time$ - Updates every 5 minutes</param>
   </module>
....
...
0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

Explorer

its working but using HiddenSearch is slow compared to HiddenSavedSearch, looking to better my dashboard.

0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

Builder

I believe HiddenSavedSearch and postprocess cannot work together

0 Karma
Highlighted

Re: combining savedsearch and postProcess does not work

SplunkTrust
SplunkTrust

HiddenSavedSearch and PostProcess work together perfectly well. However there are a number of common pitfalls around the use of postProcess searches in general.

0 Karma