All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sideview utils not using full search

brettcave
Builder
‎03-06-2013 12:50 AM

I have recently just installed and started using sideview utils to build a dashboard. I have a (relatively) large search base, parameterized with a TextField, and produces a few fields. There are then 3 PostProcesses of that search. The post process searches also have quite a few operators. In the results, the post processed results seem to be trimmed / cut. Here is an example of the structure of my view (pseudo code):

<view>
  textfield name=userFilter template=UserID="$value$"
    button
      search
        postprocess
          html
          table
        postprocess
          html
          table
        postprocess
          html
          table

The search creates fields based on event types (e.g. ... | eval UserDetail=if(eventtype="ProfileUpdate",_time." ".Detail1." ".Detail2,NULL) and then uses stats to get the latest of each created field.

The postprocess search then splits the fields into MV fields and builds a single field from that: | eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

In the above example, I use the same sort of approach with 3 sets of fields and end up with a table with 3 columns. When the results are loaded though, the 2nd column is the only column that is generated, and it is loaded under the first columns heading.

Any reason why this is happening?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-12-2013 12:44 AM

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-12-2013 12:44 AM

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

| eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

Reply
Solved! Jump to solution

brettcave
Builder
‎03-08-2013 05:53 AM

issue is because you cannot use eval X="$".X with sideview - it tries to interpret the $ is a variable instead of literal.

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎03-08-2013 03:01 AM

anyone experience this with sideview utils?

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎03-06-2013 03:37 AM

I've simplied the base search now, removing the build-up of compound fields, and just have 1 x stats command that uses latest() of various fields.

PostProcess consists of 2 evals for formatting: ... | eval someField="$".round(someField) | eval otherField=round(otherField)."%" and it is still doing the same thing.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...