- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: FlashChart not showing from hidden search on v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a view with a Hidden Search and then I am running a number of post-process from that.
Below is condensed version of what I have. I can't get it to return anything but errors or a blank group/panel. Any suggestions???
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" autoRun="True">
<param name="search">
host="*90*" FeedSource="*" | sort _time desc
</param>
<param name="earliest">rt-1d</param>
<param name="latest">rt</param>
<module name="EnablePreview">
<param name="enable">true</param>
<param name="display">false</param>
<module name="GenericHeader" layoutPanel="panel_row3_col1_grp1" autoRun="True">
<param name="label">Fixture Caches</param>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1_grp1">
<param name="search">
search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action
</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">100%</param>
</module>
</module>
</module>
</module>
</module>
</module>
This works BTW:
host="*90*" FeedSource="*" | sort _time desc | search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is, that when a search is dispatched, Splunkd looks at all of the fields referenced in the search, and referenced in any macros or eventtypes, and those are the only fields whose extractions it will run. For any fields not in that list, it'll be as though they don't exist at all.
So in this example, the search results coming from the base search will not have any values extracted nor summarized for the "Fixture" nor "Action" fields.
The answer is fairly simple, and that's simply to take your base search and add in a
| fields _time Fixture Action
before the sort command. That will be enough to tell Splunkd that someone out there cares about these fields, and then come postProcess time, they'll be there.
This is actually written up in the UI Examples app, which has a page about postProcess and the pitfalls around it. Also in the docs inside the Sideview Utils app there's an equally good explanation of the same pitfalls.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is, that when a search is dispatched, Splunkd looks at all of the fields referenced in the search, and referenced in any macros or eventtypes, and those are the only fields whose extractions it will run. For any fields not in that list, it'll be as though they don't exist at all.
So in this example, the search results coming from the base search will not have any values extracted nor summarized for the "Fixture" nor "Action" fields.
The answer is fairly simple, and that's simply to take your base search and add in a
| fields _time Fixture Action
before the sort command. That will be enough to tell Splunkd that someone out there cares about these fields, and then come postProcess time, they'll be there.
This is actually written up in the UI Examples app, which has a page about postProcess and the pitfalls around it. Also in the docs inside the Sideview Utils app there's an equally good explanation of the same pitfalls.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one adddendum - I edited my answer to remove the trailing * from my fields command, because it's possible that a * in the fields command will tell splunkd to suddenly extract every single possible field... Which is unnecessary work in this case and depending on your extraction config could slow your search down...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fantastic - worked instantly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your post processing search results in an empty set (e.g., from your example, there are no values with Fixture > 0), FlashChart will just display a blank graph, instead of the slightly more user-friendly "No results found." If several of your panels depend upon the search condition "Fixture > 0", you might want to group those together within a HiddenSearch, and PostProcess after those. The other panels on the page would need their own search / post process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I left out other searches which don't need to know about how many Fixtures there have been. The following works: host="90" FeedSource="*" | sort _time desc | search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
