Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Post processing summarized data

kjcorbin
Explorer
‎07-21-2011 10:19 AM

I have the following search which outputs summarized data in 4 hours chunks perfectly:

source="MySocket" NOT ServiceName="Private Service"| eval search = if(eventtype="search",CounterValue,0)|eval browse = if(eventtype="browse",CounterValue,0)|eval tracks = if(eventtype="tracks",CounterValue,0)|eval play_seconds_val = if(eventtype="play_seconds",CounterValue,0)| eval play_error_val = if(eventtype="play_errors",CounterValue,0) | eval play_error_adj_val = if(eventtype="play_error_adjusted",CounterValue,0)| eval play_errors_total = play_error_val - play_error_adj_val | eval browse_errors=if(eventtype="browse_error",CounterValue, 0) |  eval search_errors=if(eventtype="search_error",CounterValue, 0)| eval other_errors = search_errors + browse_errors|bin _time span=4h | stats sum(search) as Search sum(browse) as Browse sum(tracks) as Tracks sum(play_seconds_val) as PlaySeconds sum(other_errors) as OtherErros sum(play_errors_total) as PlayErrorsTotal distinct_count(HouseholdId) as Households by _time ServiceName

However when I try to use HiddenPostProcess with this to generate different charts and single value fields I am getting invalid field errors.

Here are a couple examples of what I am trying to do with prost process:
stats sum(Households) - this is for a single value field it fails saying illegal
timechart span=1d sum(play_seconds_val) by ServiceName useother="f" - for a chart, produces no results
timechart span=1d PlaySecnds by ServiceName useother="f" - for a chart, errors saying it must be in the form <func>(<field>)

I cannot do the summarization step in post processing because the search will return more than 10,000 results. Does anyone have any idea how to accomplish this?

Thanks in advance,
Keith

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-30-2012 09:24 PM

Strange.

stats sum(Households) should work, that is unless the main search is completely empty.

What 'illegal' message did that return? Can you paste it in?

As to the second postProcess, timechart span=1d sum(play_seconds_val) by ServiceName useother="f" -

Well this wont work because the final results for your base search doesn't have a field called play_seconds_val. You renamed it to PlaySeconds.

And the third postProcess, for one thing there's a typo -- PlaySecnds instead of PlaySeconds, and for a second problem indeed you need to have a function argument like distinct_count() or sum() or max(). You can't just specify raw field names.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...