Dashboards & Visualizations

HiddenPostProcess: search and eval confusion

Path Finder

I have the following:

   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">source="*stats.log" host="*prod*"</param>
        <param name="earliest">rt-60m</param>
        <param name="latest">rt</param>

    <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1" group="Look to Book Ratio">
        <param name="search">search transactionType="*" | streamstats
            count(eval(transactionType LIKE "%LSRQ")) as look count(eval(transactionType LIKE
            "BOOKRQSS%")) as book | eval lookbook=round(look/book) | rangemap field=lookbook severe=1001-100000 elevated=501-1000 low=0-500</param>
        <module name="SingleValue">
            <param name="field">lookbook</param>
            <param name="afterLabel">:1</param>
            <param name="classField">range</param>

I've read several answers here about the idiosyncrasies of using search in HiddenPostProcess modules, but still can't work out why I keep getting "Invalid field" in my SingleValue pane. What have I missed?

As an aside: the group="Look to Book Ratio" never seems to produce a label on the panel in column 1, but always does for column 2 and column 3. Weird.


Tags (2)
0 Karma


The answer is that in a dashboard or form-search context, Splunk has optimized behavior where it will only extract the fields that it sees in the search language of the main search string.

2 problems arising out of this.

1) referring to fields in the postProcess search that are not in the main search. Splunk didnt extract transactionType in the main search so this wont work.

2) referring to fields in the SingleValue module that are not in the main search. The UI can also send a parameter called required_field_list when the search is dispatched, and in most cases the modules are written correctly so that they know to do this. For example if you have a downstream SimpleResultsTable, with its 'fields' param set, the table module declares to the framework that it will need those fields extracted, so the framework includes them in the required_field_list. I think the implementation of SingleValue might overlook this case but i could be wrong.

Solution: easiest solution is to sneak in a fields clause into your main search, and include the '*' in that fields clause so that it doesnt actually do any filtering.

source="*stats.log" host="*prod*" | fields transactionType *
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...