Dashboards & Visualizations

HiddenPostProcess - Can i use | search in it?

Splunk Employee
Splunk Employee

I have a pile of stats i am gathering on apache access logs. I haven't pulled a field out to determine whether the browser is windows or mac, so initially i was running a separate search for each. Now i'm using HiddenSearch & HiddenPostProcess to make it more efficient, but is there a way for me to grab the whole pile in HiddenSearch and then in HiddenPostProcess have the "search" parameter do this -- not the "search windows" is looking for events/stats that have the word "windows" in them. Yes, i know.. i could make a field.. but i'm curious if this is possible in HPP.

<module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Windows Listeners" autoRun="True">
        <param name="groupLabel">Windows Listeners</param>
            <param name="search">| search windows | dedup clientip | fields useragent | stats count</param>
            <param name="earliest">-1w@w</param>       
            <module name="SingleValue">
            <param name="field">count</param>

        </module>
Tags (1)

SplunkTrust
SplunkTrust

Yep. If you want to see some living examples of HiddenSearch, HiddenPostProcess, SingleValue, SubmitButton and ViewRedirector all playing together, check out the Discover app. Pull it down from Splunkbase and then check out the two 'validate' views -- validate_system and validate_app.

Splunk Employee
Splunk Employee

If you want to see the result of this... http://bit.ly/splunktalkanalytics

Splunk Employee
Splunk Employee

What i found, however is many times when you're doing HiddenSearch you are calculating stats, and a HiddenPostProcess with | search "foo" returns no results. I realized i had to do a field search, like | search useragent="windows". Then it totally worked. Thanks to both of you.

SplunkTrust
SplunkTrust

that 'groupLabel' attribute is cruft carried over from simplified xml conversion and can be deleted.

0 Karma

Motivator

I gave it a quick try on 4.1.5 and it appeared to work.

I've attempted doing this in the past (circa 4.1.2?) and got empty result sets every time. It's possible there was a a change in the more recent version(s), though it's admittedly far more likely I was just doing something dumb like leaving out the initial pipe symbol.

0 Karma

SplunkTrust
SplunkTrust

minor note: you actually dont need the initial pipe symbol in postProcess, although it's quite possible that it was necessary in earlier 4.x builds.