Solved: sideview utils not using full search

brettcave · ‎03-06-2013

I have recently just installed and started using sideview utils to build a dashboard. I have a (relatively) large search base, parameterized with a TextField, and produces a few fields. There are then 3 PostProcesses of that search. The post process searches also have quite a few operators. In the results, the post processed results seem to be trimmed / cut. Here is an example of the structure of my view (pseudo code):

<view>
  textfield name=userFilter template=UserID="$value$"
    button
      search
        postprocess
          html
          table
        postprocess
          html
          table
        postprocess
          html
          table

The search creates fields based on event types (e.g. ... | eval UserDetail=if(eventtype="ProfileUpdate",_time." ".Detail1." ".Detail2,NULL) and then uses stats to get the latest of each created field.

The postprocess search then splits the fields into MV fields and builds a single field from that: | eval UserMV=split(UserDetail," ") | eval Detail1=mvindex(UserMV,0) | eval Detail2=mvindex(UserMV,1) | eval UserDetail="$ ".round(Detail1)." (".round(Detail2)."%)" | table UserDetail | rename UserDetail AS "Dollar Value (%)"

In the above example, I use the same sort of approach with 3 sets of fields and end up with a table with 3 columns. When the results are loaded though, the 2nd column is the only column that is generated, and it is loaded under the first columns heading.

Any reason why this is happening?

sideview · ‎04-12-2013

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

View solution in original post

sideview · ‎04-12-2013

You can use "$" characters in your searches, you just need to use two consecutive characters like so: $$

So just change your search to this:

and it will work fine. This was actually explained in the Sideview Utils documentation although it used to be a little hidden. I've since reworked the docs a little so this is called out in more places in the docs, and a little more loudly.

Since it only takes a few moments to upgrade Sideview Utils to latest, make sure you're up to date if only for the constant docs improvements. http://sideviewapps.com/apps/sideview-utils

brettcave · ‎03-08-2013

issue is because you cannot use eval X="$".X with sideview - it tries to interpret the $ is a variable instead of literal.

brettcave · ‎03-08-2013

anyone experience this with sideview utils?

brettcave · ‎03-06-2013

I've simplied the base search now, removing the build-up of compound fields, and just have 1 x stats command that uses latest() of various fields.

PostProcess consists of 2 evals for formatting: ... | eval someField="$".round(someField) | eval otherField=round(otherField)."%" and it is still doing the same thing.

sideview utils not using full search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation