Dashboards & Visualizations

FlashChart not showing from hidden search on view

matthewcanty
Communicator

Hi All,

I have a view with a Hidden Search and then I am running a number of post-process from that.

Below is condensed version of what I have. I can't get it to return anything but errors or a blank group/panel. Any suggestions???

<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" autoRun="True">
<param name="search">
    host="*90*" FeedSource="*" | sort _time desc
</param>
<param name="earliest">rt-1d</param>
<param name="latest">rt</param>
<module name="EnablePreview">
    <param name="enable">true</param>
    <param name="display">false</param>
    <module name="GenericHeader" layoutPanel="panel_row3_col1_grp1" autoRun="True">
        <param name="label">Fixture Caches</param>
        <module name="HiddenPostProcess" layoutPanel="panel_row3_col1_grp1">
            <param name="search">
                search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action
            </param>
            <module name="HiddenChartFormatter">    
                <param name="chart">column</param>
                <module name="FlashChart">
                    <param name="width">100%</param>
                    <param name="height">100%</param>
                </module>
            </module>  
        </module>
    </module>
</module>
</module>

This works BTW:

host="*90*" FeedSource="*" | sort _time desc | search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The problem is, that when a search is dispatched, Splunkd looks at all of the fields referenced in the search, and referenced in any macros or eventtypes, and those are the only fields whose extractions it will run. For any fields not in that list, it'll be as though they don't exist at all.

So in this example, the search results coming from the base search will not have any values extracted nor summarized for the "Fixture" nor "Action" fields.

The answer is fairly simple, and that's simply to take your base search and add in a

| fields _time Fixture Action

before the sort command. That will be enough to tell Splunkd that someone out there cares about these fields, and then come postProcess time, they'll be there.

This is actually written up in the UI Examples app, which has a page about postProcess and the pitfalls around it. Also in the docs inside the Sideview Utils app there's an equally good explanation of the same pitfalls.

Cheers

View solution in original post

sideview
SplunkTrust
SplunkTrust

The problem is, that when a search is dispatched, Splunkd looks at all of the fields referenced in the search, and referenced in any macros or eventtypes, and those are the only fields whose extractions it will run. For any fields not in that list, it'll be as though they don't exist at all.

So in this example, the search results coming from the base search will not have any values extracted nor summarized for the "Fixture" nor "Action" fields.

The answer is fairly simple, and that's simply to take your base search and add in a

| fields _time Fixture Action

before the sort command. That will be enough to tell Splunkd that someone out there cares about these fields, and then come postProcess time, they'll be there.

This is actually written up in the UI Examples app, which has a page about postProcess and the pitfalls around it. Also in the docs inside the Sideview Utils app there's an equally good explanation of the same pitfalls.

Cheers

sideview
SplunkTrust
SplunkTrust

one adddendum - I edited my answer to remove the trailing * from my fields command, because it's possible that a * in the fields command will tell splunkd to suddenly extract every single possible field... Which is unnecessary work in this case and depending on your extraction config could slow your search down...

0 Karma

matthewcanty
Communicator

Fantastic - worked instantly

0 Karma

sowings
Splunk Employee
Splunk Employee

If your post processing search results in an empty set (e.g., from your example, there are no values with Fixture > 0), FlashChart will just display a blank graph, instead of the slightly more user-friendly "No results found." If several of your panels depend upon the search condition "Fixture > 0", you might want to group those together within a HiddenSearch, and PostProcess after those. The other panels on the page would need their own search / post process.

0 Karma

matthewcanty
Communicator

Yes I left out other searches which don't need to know about how many Fixtures there have been. The following works: host="90" FeedSource="*" | sort _time desc | search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...