Dashboards & Visualizations

HiddenPostProcess

robgreen
Path Finder

I am trying using HiddenSearch and HiddenPostProcess to fill all the panels of a dashboard.

i have a HiddenSearch like:

  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Summary" autoRun="true">
    <param name="search">NOT platformtype=MOT CALL_END | eval duration=round(callLength/1000)</param>
    <param name="groupLabel">Summary</param>
    <param name="maxCount">10000</param>
    <param name="earliest">rt-5m</param>
    <param name="latest">rt</param>

then i try to use the search results in about 8 other panels with something like

    <module name="HiddenPostProcess">
      <param name="search">| stats count</param>
      <module name="SingleValue">
        <param name="beforeLabel">Total Calls</param>
        <param name="format">number</param>
      </module>
    </module>
    <module name="HiddenPostProcess">
      <param name="search">|  stats avg(duration) as avgDuration</param>
      <module name="SingleValue">
        <param name="beforeLabel">Avg Call Duration</param>
        <param name="format">number</param>
      </module>
    </module>

  <module name="HiddenPostProcess" layoutPanel="panel_row2_col1" group="Duration">
    <param name="search">|  timechart span="1m" avg(duration) by appID</param>
...

however almost all of my panels come up blank or error out. I have a sneaky suspicion that my sub searches aren't using the raw search results and are using some subset of it. If i enter all the searches individually into the search bar everything works. I am really trying to optimize the search so i don't have basically the same query running 8 times since i have over 17 trillion events

rob

Tags (1)
1 Solution

Paolo_Prigione
Builder

Splunk performs field optimization in the hiddenSearch, so the fields you do not explicitly ask for are not carried on to the post processes. Try to add an esplicit | fields ... a t the end of the hiddensearch

<param name="search">NOT platformtype=MOT CALL_END | eval duration=round(callLength/1000) | fields + _time _raw duration appID ...</param>

View solution in original post

hexx
Splunk Employee
Splunk Employee

It's important to understand that the HiddenPostProcess module has a hard-coded, unconfigurable input limit of 10,000 events/results because it has been designed to consume a data cube of events rather than raw events.

So, in your situation, I would rather suggest that you modify the base search to build a data cube that can be consumed by both downstream HiddenPostProcess modules, like so:

  • base search:

NOT platformtype=MOT CALL_END | eval duration=round(callLength/1000) | bucket _time span=1m | sistats avg(duration) count by appID, _time

  • first post-process:

| stats count

  • second post-process:

| stats avg(duration) as avgDuration

  • third post-process:

| timechart span="1m" avg(duration) by appID

A few remarks:

  • Because we are now feeding results to the downstream HiddenPostProcess modules instead of events, there is no need to explicitly declare a list of fields to pass.
  • We are using sistats when building the data cube. This ensures that enough exogenous statistical information will be collected to allow the post-process searches to work without having to adapt them to the data cube. For example, without sistats, if the base search performs a stats count, the post-process will need to run stats sum(count) as count to return the total event count. With sistats, the post-process can just invoke stats count or even stats avg(field).
  • We are using bucket to discretize the data cube's _time dimension into 1-minute "buckets", which allows us to significantly reduce the number of results it will yield.
  • Although this technique should dramatically reduce the number of objects passed to HiddenPostProcess, you still have to ensure that this doesn't exceed 10,000 when searching over large time windows. Otherwise, the post-process modules will only operate over the first 10,000 results it receives and will therefore show incomplete data.

Further reading - Use one search for a whole dashboard

Paolo_Prigione
Builder

Splunk performs field optimization in the hiddenSearch, so the fields you do not explicitly ask for are not carried on to the post processes. Try to add an esplicit | fields ... a t the end of the hiddensearch

<param name="search">NOT platformtype=MOT CALL_END | eval duration=round(callLength/1000) | fields + _time _raw duration appID ...</param>

robgreen
Path Finder

This was the solution and worked great

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...