Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing Text to a SingleValue Panel

zschmid
Path Finder
‎12-10-2010 09:34 PM

Is it possible to pass text to a SingleValue Panel? I am able to create a SingleValue panel and display numeric values with no problem. But as soon as I take a field that returns a text value instead of numeric the SingleValue field displays "Invalid Field".

Am I taking the right approach to displaying a single text value?

 <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
      <param name="search">index=dna sourcetype=dna dest_host="XXXXXXXX" | dedup dest_host | </param>
      <param name="earliest">-24h</param>
      <module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1">
      <param name="search">stats first(dest_ip)</param>
         <module name="SingleValue">
           <param name="field">first(dest_ip)</param>
           <param name="beforeLabel">IP Address:</param>
         </module>
    </module>
    <module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2">
      <param name="search">stats first(dest_city) AS city first(dest_state) AS state first(dest_country) AS country | eval location=city.",".state." ".country</param>
         <module name="SingleValue">
           <param name="field">location</param>
           <param name="beforeLabel">Home Location:</param>
         </module>
    </module>
</module>
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎12-10-2010 10:01 PM

This is a common problem that you're hitting but it's not a SingleValue problem. SingleValue can display text values just fine.

What it is, is that when you refer to a field in a postProcess search, you have to make sure that the field will be there in the underlying search results.

So here the postProcess is referring to a field called 'dest_ip', however nobody told the main search that 'dest_ip' was an important field so it will not have preserved it. (Splunkd doesnt do unnecessary work- it'll only extract and preserve the fields that it beleives are necessary to fulfill the search at search time)

Short version: If you add | fields dest_host dest_ip onto the end of your base search it'll work.

Check out the 'Using postProcess on dashboards' view within the 'UI Examples for 4.1' app, available on splunkbase. It talks a lot about the pitfalls that can ruin your day when you're using postprocess and this is definitely one.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎12-10-2010 10:01 PM

This is a common problem that you're hitting but it's not a SingleValue problem. SingleValue can display text values just fine.

What it is, is that when you refer to a field in a postProcess search, you have to make sure that the field will be there in the underlying search results.

So here the postProcess is referring to a field called 'dest_ip', however nobody told the main search that 'dest_ip' was an important field so it will not have preserved it. (Splunkd doesnt do unnecessary work- it'll only extract and preserve the fields that it beleives are necessary to fulfill the search at search time)

Short version: If you add | fields dest_host dest_ip onto the end of your base search it'll work.

Check out the 'Using postProcess on dashboards' view within the 'UI Examples for 4.1' app, available on splunkbase. It talks a lot about the pitfalls that can ruin your day when you're using postprocess and this is definitely one.

0 Karma
Reply
Solved! Jump to solution

zschmid
Path Finder
‎12-10-2010 10:16 PM

Awesome. This worked perfectly. Thanks for the quick response!

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top