All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

postprocess - dashboard display

hqw
Path Finder
‎07-02-2015 07:49 PM

Hi all,

I want to use post process to speed up my dashboard, but face some problem to display out my result in the sub search. Can any one kindly tell me what is wrong? why can't i see any data ?

my base search:
<search id="1">
<![CDATA[*** | eval day=strftime(_time, "%Y-%m-%d") | rex field=_raw "server_name\=\"(?<retailer>([a-zA-Z]+)|(\d-\d+\s+))" | stats sum(touch_count) as sum_touch_count by day, retailer]]>

my sub search:
&lt;search base="1"&gt;
chart dc(server_name) AS "Distinct_Count_server", sum(sum_touch_count) AS sum_touch_count over day by retailer |eval avg= sum_touch_count/Distinct_Count_server |eval avg=round(avg,0)

what i want is to display average by retailers over time, but currently i just can get the result of server count and sum of interaction count by retail over time. Is there any requirement to add anything else behind my current sub search?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-03-2015 09:58 AM

The problem is that your subsearch is trying to use fields that are presented from the base search. A stats command will remove the fields presented to the next command, so you are trying to count server_name, but that isn't listed as an output field of the base search. You can try using eventstats to calculate the sum_touch_count.

<search id="1"><query><![CDATA[*** | eval day=strftime(_time, "%Y-%m-%d") | rex field=_raw "server_name\=\"(?<retailer>([a-zA-Z]+)|(\d-\d+\s+))" | eventstats sum(touch_count) as sum_touch_count by day, retailer]]></query></search>

<search base="1><query>chart dc(server_name) AS "Distinct_Count_server", latest(sum_touch_count) AS sum_touch_count over day by retailer |eval avg= sum_touch_count/Distinct_Count_server |eval avg=round(avg,0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-03-2015 09:58 AM

The problem is that your subsearch is trying to use fields that are presented from the base search. A stats command will remove the fields presented to the next command, so you are trying to count server_name, but that isn't listed as an output field of the base search. You can try using eventstats to calculate the sum_touch_count.

<search id="1"><query><![CDATA[*** | eval day=strftime(_time, "%Y-%m-%d") | rex field=_raw "server_name\=\"(?<retailer>([a-zA-Z]+)|(\d-\d+\s+))" | eventstats sum(touch_count) as sum_touch_count by day, retailer]]></query></search>

<search base="1><query>chart dc(server_name) AS "Distinct_Count_server", latest(sum_touch_count) AS sum_touch_count over day by retailer |eval avg= sum_touch_count/Distinct_Count_server |eval avg=round(avg,0)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...