Dashboards & Visualizations

HiddenPostProcess: search and eval confusion

Path Finder

I have the following:

   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">source="*stats.log" host="*prod*"</param>
        <param name="earliest">rt-60m</param>
        <param name="latest">rt</param>

    <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1" group="Look to Book Ratio">
        <param name="search">search transactionType="*" | streamstats
            count(eval(transactionType LIKE "%LSRQ")) as look count(eval(transactionType LIKE
            "BOOKRQSS%")) as book | eval lookbook=round(look/book) | rangemap field=lookbook severe=1001-100000 elevated=501-1000 low=0-500</param>
        <module name="SingleValue">
            <param name="field">lookbook</param>
            <param name="afterLabel">:1</param>
            <param name="classField">range</param>

I've read several answers here about the idiosyncrasies of using search in HiddenPostProcess modules, but still can't work out why I keep getting "Invalid field" in my SingleValue pane. What have I missed?

As an aside: the group="Look to Book Ratio" never seems to produce a label on the panel in column 1, but always does for column 2 and column 3. Weird.


Tags (2)
0 Karma


The answer is that in a dashboard or form-search context, Splunk has optimized behavior where it will only extract the fields that it sees in the search language of the main search string.

2 problems arising out of this.

1) referring to fields in the postProcess search that are not in the main search. Splunk didnt extract transactionType in the main search so this wont work.

2) referring to fields in the SingleValue module that are not in the main search. The UI can also send a parameter called required_field_list when the search is dispatched, and in most cases the modules are written correctly so that they know to do this. For example if you have a downstream SimpleResultsTable, with its 'fields' param set, the table module declares to the framework that it will need those fields extracted, so the framework includes them in the required_field_list. I think the implementation of SingleValue might overlook this case but i could be wrong.

Solution: easiest solution is to sneak in a fields clause into your main search, and include the '*' in that fields clause so that it doesnt actually do any filtering.

source="*stats.log" host="*prod*" | fields transactionType *
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...