Dashboards & Visualizations

HiddenPostProcess: search and eval confusion

Path Finder

I have the following:

   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">source="*stats.log" host="*prod*"</param>
        <param name="earliest">rt-60m</param>
        <param name="latest">rt</param>

    <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1" group="Look to Book Ratio">
        <param name="search">search transactionType="*" | streamstats
            count(eval(transactionType LIKE "%LSRQ")) as look count(eval(transactionType LIKE
            "BOOKRQSS%")) as book | eval lookbook=round(look/book) | rangemap field=lookbook severe=1001-100000 elevated=501-1000 low=0-500</param>
        <module name="SingleValue">
            <param name="field">lookbook</param>
            <param name="afterLabel">:1</param>
            <param name="classField">range</param>

I've read several answers here about the idiosyncrasies of using search in HiddenPostProcess modules, but still can't work out why I keep getting "Invalid field" in my SingleValue pane. What have I missed?

As an aside: the group="Look to Book Ratio" never seems to produce a label on the panel in column 1, but always does for column 2 and column 3. Weird.


Tags (2)
0 Karma


The answer is that in a dashboard or form-search context, Splunk has optimized behavior where it will only extract the fields that it sees in the search language of the main search string.

2 problems arising out of this.

1) referring to fields in the postProcess search that are not in the main search. Splunk didnt extract transactionType in the main search so this wont work.

2) referring to fields in the SingleValue module that are not in the main search. The UI can also send a parameter called required_field_list when the search is dispatched, and in most cases the modules are written correctly so that they know to do this. For example if you have a downstream SimpleResultsTable, with its 'fields' param set, the table module declares to the framework that it will need those fields extracted, so the framework includes them in the required_field_list. I think the implementation of SingleValue might overlook this case but i could be wrong.

Solution: easiest solution is to sneak in a fields clause into your main search, and include the '*' in that fields clause so that it doesnt actually do any filtering.

source="*stats.log" host="*prod*" | fields transactionType *
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...