All Apps and Add-ons

foo value for number of results in a PostProcess module

adityapavan18
Contributor

Hi
is there a foo value which returns the number of rows resulted after PostProcess?

$results.resultCount$ returns the number of results returned in main query but not the number of rows after post process even though the variable is used in Post Process module.

How can get the row count after PostProcess module is applied.

sideview
SplunkTrust
SplunkTrust

There actually isn't a token for this number, which is why you can't find one. When modules need to get the length of the postProcess'ed results set, they just send the search, with the postProcess string, with a little "| stats count" on the end of it, to Splunkd. A weird little trick that works perfectly well. The extra stats count counts all the rows and the response comes back.

As always when you want to pull field values down to the UI and do something with them, there are two ways with Sideview Utils:

1) If you ultimately just want to display the value(s) somewhere, it can be easiest to use the $results[0].fieldName$ syntax supported by the HTML module.

<module name="PostProcess">
  <param name="search">$postProcess$ | stats count</param>
  <module name="HTML">
    <param name="html"><![CDATA[
      <h3>$results[0].count$ results found</h3>
    ]]></param>
  </module>
</module>

2) If you want to do something more than just display the value(s) to the user, then you can use the ResultsValueSetter module to actually pull down the field value and make it available as a standard $foo$ token, thus usable by any downstream module.

<module name="PostProcess">
  <param name="search">$postProcess$ | stats count as postProcessRowCount</param>
  <module name="ResultsValueSetter">
    <param name="fields">postProcessRowCount</param>
    ... you are now free to use $postProcessRowCount$  anywhere downstream from the RVS module, and it will reflect the number of results in the postProcessed search results. 

sideview
SplunkTrust
SplunkTrust

Well, it is best if you actually read the documentation. But in a nutshell, just in the Sideview HTML module, $results[0].foo$ will grab the value of the field "foo" in the first row of search results. And $results[3].sourcetype$ will grab the value of the field "sourcetype" in the fourth row of search results.

0 Karma

0waste_splunk
Communicator

still it doesn't say what results[0], results[1] mean in table context?

0 Karma

sideview
SplunkTrust
SplunkTrust

Read the documentation for the HTML module, inside the app, under "Module Documentation > The HTML module > Embedding HTML and including values from your search results"

Also make sure you're on the latest (2.5) from the Sideview site ( http://sideviewapps.com/apps/sideview-utils/ ) and not the super old version from Splunkbase (1.3.5)

0 Karma

0waste_splunk
Communicator

but can you explain $results[0].count$ will display? i mean to ask [0], [1] refere to what module?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...