Dashboards & Visualizations

Is using a post-process search as the base of a further post-process search not supported?

briancronrath
Contributor

I couldn't find much on this in the docs, I did see on http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Viz/Savedsearches#Post-process_searches it has an example of a chained post process search so I had figured it should work - but what I observed is that it isn't really practical for dashboards with inputs. By that, I mean that I was working on a dashboard that took in a dropdown input that set a token used in what we will refer to as "search 3". "search 3" used a base search of "search 2", which used a based search of "search 1". On initial load, the results for search 3 populate fine. However, if I try to change the input on the dropdown at all, the results for search 3 wouldn't change, and the bar below it where you can normally click on a magnifying glass to see new results then just becomes a grey bar.

The only way I was able to resolve was by copying all of search 2, and placing it in front of search 3, and making search 1 the base search for search 3. After this now I get the results I desire, where whenever the input changes, search 3 changes accordingly. Ideally I don't want to do this though, as it's causing redundant searching to be done.

Is this a bug or by design? Here is an easy repro you can do to try it yourself.

Try changing the input on this one:

<form>
  <label>Repro bug</label>
  <search id="base">
    <query>|makeresults | eval bogus_stuff="stuff"</query>
    <earliest>-1min</earliest>
    <latest>now</latest>
  </search>
  <search id="post1" base="base">
    <query>|append[|makeresults | eval bogus_stuff="more stuff"]</query>
    <earliest>-1min</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="token_val" searchWhenChanged="true">
      <label>field1</label>
      <choice value="a">a</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
      <initialValue>a</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>test</title>
        <search id="search3" base="post1">
          <query>|append [|makeresults | eval testing_stuff="$token_val$"]</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Notice how above the results never changed. Now try it with this one and see they change fine:

<form>
  <label>Repro bug Clone</label>
  <search id="base">
    <query>|makeresults | eval bogus_stuff="stuff"</query>
    <earliest>-1min</earliest>
    <latest>now</latest>
  </search>
  <search id="post1" base="base">
    <query>|append[|makeresults | eval bogus_stuff="more stuff"]</query>
    <earliest>-1min</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="token_val" searchWhenChanged="true">
      <label>field1</label>
      <choice value="a">a</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
      <initialValue>a</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>test</title>
        <search id="searchWorks" base="base">
          <query>|append [|makeresults | eval bogus_stuff="more stuff"]|append [|makeresults | eval testing_stuff="$token_val$"]</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

rjthibod
Champion

Using things like append in a post-processing search is not recommended or not really supported.

Instead, you should use loadjob to load results from the first search into your second and third search.

The basic pattern is as follows:

<search id="base">
  <query>|makeresults | eval bogus_stuff="stuff"</query>
  <earliest>-1min</earliest>
  <latest>now</latest>
  <progress>
    <unset token="search_base_sid"/>
  </progress>
  <done>
    <set token="search_base_sid">$job.sid$</set>
  </done> 
</search>

And then referencing the token in the other searches while also removing the base=.... part from the <search> element.

<search id="post1">
  <query>|loadjob $search_base_sid$ | append[|makeresults | eval bogus_stuff="more stuff"]</query>
  <earliest>-1min</earliest>
  <latest>now</latest>
  <progress>
    <unset token="search_post1_sid"/>
  </progress>
  <done>
    <set token="search_post1_sid">$job.sid$</set>
  </done> 
</search>

briancronrath
Contributor

That's just what I used for a quick example, but the issue still persists regardless of using append or not. In my real world use-case I don't use append anywhere.

0 Karma

rjthibod
Champion

without you sharing the details that are specific to your use case, I can't recommend a better course of action than what I already have posted. I have done the kind of thing you are asking about, but it could have been much simpler and therefore worked.

In general, I would avoid chaining post-processing and use loadjob instead, but you should post more information about the actual use case if you want a more fitting answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...