Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Post processing summarized data

kjcorbin
Explorer
‎07-21-2011 10:19 AM

I have the following search which outputs summarized data in 4 hours chunks perfectly:

source="MySocket" NOT ServiceName="Private Service"| eval search = if(eventtype="search",CounterValue,0)|eval browse = if(eventtype="browse",CounterValue,0)|eval tracks = if(eventtype="tracks",CounterValue,0)|eval play_seconds_val = if(eventtype="play_seconds",CounterValue,0)| eval play_error_val = if(eventtype="play_errors",CounterValue,0) | eval play_error_adj_val = if(eventtype="play_error_adjusted",CounterValue,0)| eval play_errors_total = play_error_val - play_error_adj_val | eval browse_errors=if(eventtype="browse_error",CounterValue, 0) |  eval search_errors=if(eventtype="search_error",CounterValue, 0)| eval other_errors = search_errors + browse_errors|bin _time span=4h | stats sum(search) as Search sum(browse) as Browse sum(tracks) as Tracks sum(play_seconds_val) as PlaySeconds sum(other_errors) as OtherErros sum(play_errors_total) as PlayErrorsTotal distinct_count(HouseholdId) as Households by _time ServiceName

However when I try to use HiddenPostProcess with this to generate different charts and single value fields I am getting invalid field errors.

Here are a couple examples of what I am trying to do with prost process:
stats sum(Households) - this is for a single value field it fails saying illegal
timechart span=1d sum(play_seconds_val) by ServiceName useother="f" - for a chart, produces no results
timechart span=1d PlaySecnds by ServiceName useother="f" - for a chart, errors saying it must be in the form <func>(<field>)

I cannot do the summarization step in post processing because the search will return more than 10,000 results. Does anyone have any idea how to accomplish this?

Thanks in advance,
Keith

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-30-2012 09:24 PM

Strange.

stats sum(Households) should work, that is unless the main search is completely empty.

What 'illegal' message did that return? Can you paste it in?

As to the second postProcess, timechart span=1d sum(play_seconds_val) by ServiceName useother="f" -

Well this wont work because the final results for your base search doesn't have a field called play_seconds_val. You renamed it to PlaySeconds.

And the third postProcess, for one thing there's a typo -- PlaySecnds instead of PlaySeconds, and for a second problem indeed you need to have a function argument like distinct_count() or sum() or max(). You can't just specify raw field names.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...