Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- HiddenPostProcess issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a problem with using a common search for more tables in a view.
I'm trying to follow the instructions in the documentation.
The issue I have is that I can see now results in my timechart. The singlevalue field, however, IS updated:
<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
<param name="search">index=os sourcetype=vmstat host=problemhost earliest=-4h@h | multikv fields loadAvg1mi, swapUsedPct</param>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1" group="CPU Load">
<param name="search">| timechart avg(loadAvg1mi) by host</param>
<module name="HiddenChartFormatter">
<param name="charting.axisTitleY.text">Load</param>
<param name="charting.chart">line</param>
<param name="charting.chart.stackMode">default</param>
<param name="charting.legend.placement">none</param>
<param name="charting.primaryAxisTitle.text">time</param>
<param name="charting.chart.nullValueMode">gaps</param>
<param name="charting.chart.showMarkers">false</param>
<param name="charting.layout.splitSeries">false</param>
<module name="JSChart">
<param name="width">100%</param>
</module>
</module>
</module>
<module name="HiddenPostProcess"
layoutPanel="panel_row1_col2" group="SIngle value">
<param name="search">| stats count</param>
<module name="SingleValue">
<param name="field">count</param>
<param name="afterLabel"> events</param>
<param name="classField">range</param>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I found out one workaround solution for this. Apparently, there is only an issue with multikv-extracted values. So, I appended an eval to the base search:
<param name="search">index=os sourcetype=vmstat host=problemhost earliest=-4h@h | multikv fields loadAvg1mi, swapUsedPct |eval load_average=loadAvg1mi</param>
...and did the timechart on the eval'd values:
<param name="search">| timechart avg(load_average) by host</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I found out one workaround solution for this. Apparently, there is only an issue with multikv-extracted values. So, I appended an eval to the base search:
<param name="search">index=os sourcetype=vmstat host=problemhost earliest=-4h@h | multikv fields loadAvg1mi, swapUsedPct |eval load_average=loadAvg1mi</param>
...and did the timechart on the eval'd values:
<param name="search">| timechart avg(load_average) by host</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've left out one chart to keep it as simple as possible.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
Monitoring AI Agents with Splunk Observability Cloud
