Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Post processing summarized data

kjcorbin
Explorer
‎07-21-2011 10:19 AM

I have the following search which outputs summarized data in 4 hours chunks perfectly:

source="MySocket" NOT ServiceName="Private Service"| eval search = if(eventtype="search",CounterValue,0)|eval browse = if(eventtype="browse",CounterValue,0)|eval tracks = if(eventtype="tracks",CounterValue,0)|eval play_seconds_val = if(eventtype="play_seconds",CounterValue,0)| eval play_error_val = if(eventtype="play_errors",CounterValue,0) | eval play_error_adj_val = if(eventtype="play_error_adjusted",CounterValue,0)| eval play_errors_total = play_error_val - play_error_adj_val | eval browse_errors=if(eventtype="browse_error",CounterValue, 0) |  eval search_errors=if(eventtype="search_error",CounterValue, 0)| eval other_errors = search_errors + browse_errors|bin _time span=4h | stats sum(search) as Search sum(browse) as Browse sum(tracks) as Tracks sum(play_seconds_val) as PlaySeconds sum(other_errors) as OtherErros sum(play_errors_total) as PlayErrorsTotal distinct_count(HouseholdId) as Households by _time ServiceName

However when I try to use HiddenPostProcess with this to generate different charts and single value fields I am getting invalid field errors.

Here are a couple examples of what I am trying to do with prost process:
stats sum(Households) - this is for a single value field it fails saying illegal
timechart span=1d sum(play_seconds_val) by ServiceName useother="f" - for a chart, produces no results
timechart span=1d PlaySecnds by ServiceName useother="f" - for a chart, errors saying it must be in the form <func>(<field>)

I cannot do the summarization step in post processing because the search will return more than 10,000 results. Does anyone have any idea how to accomplish this?

Thanks in advance,
Keith

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-30-2012 09:24 PM

Strange.

stats sum(Households) should work, that is unless the main search is completely empty.

What 'illegal' message did that return? Can you paste it in?

As to the second postProcess, timechart span=1d sum(play_seconds_val) by ServiceName useother="f" -

Well this wont work because the final results for your base search doesn't have a field called play_seconds_val. You renamed it to PlaySeconds.

And the third postProcess, for one thing there's a typo -- PlaySecnds instead of PlaySeconds, and for a second problem indeed you need to have a function argument like distinct_count() or sum() or max(). You can't just specify raw field names.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...