Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HiddenPostProcess - Can i use | search in it?

Michael_Wilde
Splunk Employee
Splunk Employee
‎09-17-2010 06:34 AM

I have a pile of stats i am gathering on apache access logs. I haven't pulled a field out to determine whether the browser is windows or mac, so initially i was running a separate search for each. Now i'm using HiddenSearch & HiddenPostProcess to make it more efficient, but is there a way for me to grab the whole pile in HiddenSearch and then in HiddenPostProcess have the "search" parameter do this -- not the "search windows" is looking for events/stats that have the word "windows" in them. Yes, i know.. i could make a field.. but i'm curious if this is possible in HPP.

<module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Windows Listeners" autoRun="True">
        <param name="groupLabel">Windows Listeners</param>
            <param name="search">| search windows | dedup clientip | fields useragent | stats count</param>
            <param name="earliest">-1w@w</param>       
            <module name="SingleValue">
            <param name="field">count</param>

        </module>
Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎09-22-2010 06:18 AM

Yep. If you want to see some living examples of HiddenSearch, HiddenPostProcess, SingleValue, SubmitButton and ViewRedirector all playing together, check out the Discover app. Pull it down from Splunkbase and then check out the two 'validate' views -- validate_system and validate_app.

Reply

Michael_Wilde
Splunk Employee
Splunk Employee
‎09-26-2010 02:10 AM

If you want to see the result of this... http://bit.ly/splunktalkanalytics

Reply

Michael_Wilde
Splunk Employee
Splunk Employee
‎09-26-2010 02:10 AM

What i found, however is many times when you're doing HiddenSearch you are calculating stats, and a HiddenPostProcess with | search "foo" returns no results. I realized i had to do a field search, like | search useragent="windows". Then it totally worked. Thanks to both of you.

Reply

sideview
SplunkTrust
SplunkTrust
‎09-22-2010 06:16 AM

that 'groupLabel' attribute is cruft carried over from simplified xml conversion and can be deleted.

0 Karma
Reply

southeringtonp
Motivator
‎09-17-2010 02:18 PM

I gave it a quick try on 4.1.5 and it appeared to work.

I've attempted doing this in the past (circa 4.1.2?) and got empty result sets every time. It's possible there was a a change in the more recent version(s), though it's admittedly far more likely I was just doing something dumb like leaving out the initial pipe symbol.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-22-2010 06:14 AM

minor note: you actually dont need the initial pipe symbol in postProcess, although it's quite possible that it was necessary in earlier 4.x builds.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...