Dashboards & Visualizations

having problems with the PostProcess module

klee310
Communicator

hi, I'm having problems trying to display results in a PostProcess module.

My present scenario is this, I am trying to use a simple Search module to define a generic search, something like ==> search AccountNumber=a1010023

Then within the Search module, I would define a refined PostProcess module and a SingleValue module to display specific results.

If my PostProcess module contains an empty search string ==> *, and a FlashTimeline module, the results get displayed.

If my PostProcess module contains a search string such as ==> | stats count(MessageType) as count, and a SingleValue module with field=count, I get an weird error message displayed in the SingleValue box.

If my PostProcess module contains a search string such as ==> search * | stats count(MessageType) as count; or ==> search AccountNumber=a1010023 | stats count(MessageType) as count; I always get the result returned as 0 (zero). But testing this command in a regular search bar, I can get like 10060

What is going on? am I using the PostProcess module correctly.

The reason I choose to use PostProcess is to improve performance of my dashboard. Otherwise I would have like 20 or so active searches going on at once when the dashboard is loaded. I am hoping to start off the dash with a generic search, such as one that gets all the messages of a specific account-number; then within the search module, I would place a bunch of PostProcess modules which gets the specific info it needs to display for that account-number.

Any help is greatly appreciated.

Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

You're using the module correctly, but the real trick to using post-process searches in general is understanding the underlying issues in the search language and the API.

The fastest path to understanding those issues, is to download the UI Examples app, which has a view under 'Advanced XML' called 'Using PostProcess on Dashboards'.

http://splunk-base.splunk.com/apps/22333/splunk-ui-examples-app-for-41

The specific issue you're running into here is probably because the fields are not there in the underlying job. To explain, if the underlying search did not refer to the 'MessageType' field or the 'AccountNumber' field, then splunk wont go to the trouble of extracting those fields, which means they wont be preserved in the underlying job. This means that when we run our post-process search later, there will be no such field, and the search wont work as expected.

However I really recommend reading the documentation in that UI Examples view, because there are several other issues and best practices that you'll be better off learning earlier.

Also, the HiddenPostProcess/PostProcess confusion may come from the fact that HiddenPostProcess is the Splunk module, but PostProcess is the analogue of HiddenPostProcess over in the Sideview Utils app (an app I developed and that I make available on SB). the PostProcess module there offers a key advantage over the HiddenPostProcess module, in that you can substitute $foo$ tokens into the postprocess search, from interactive modules (ie TextField, Pulldown and Checkbox).

View solution in original post

klee310
Communicator

thanks for the excellent reply. also I want to ask, related to this post-process construct.. from the splunk documentation, it seems the original base search must be a reporting search in order for post-process to work correctly. Am I correct in understanding this? This means the base search MUST end with a command like chart.

What if I wanted to use a filter-style base search, ex. take all the events with AccountNumber=$AccountNumber$ first, in my base search, then search for additional fields or key-words from within the post-process? Perhaps post-process is not the proper module to use. In any case, can you suggest any resources I can follow for a simple solution?

At the moment, my dashboard takes about a minute to finish rendering because there are over 30 base searches to complete. It would be great if I could at the very least filter down my indexed-data, say by Account-Number - which should dramatically improve performance.

0 Karma

sideview
SplunkTrust
SplunkTrust

This should be an update on your original question, or maybe a new question. In the meantime though, I'll say that the docs make it sound absolute, but in reality you can use postprocess against non-reporting searches, there are just a lot of nasty pitfalls and performance problems that open up when you do.

0 Karma

sideview
SplunkTrust
SplunkTrust

You're using the module correctly, but the real trick to using post-process searches in general is understanding the underlying issues in the search language and the API.

The fastest path to understanding those issues, is to download the UI Examples app, which has a view under 'Advanced XML' called 'Using PostProcess on Dashboards'.

http://splunk-base.splunk.com/apps/22333/splunk-ui-examples-app-for-41

The specific issue you're running into here is probably because the fields are not there in the underlying job. To explain, if the underlying search did not refer to the 'MessageType' field or the 'AccountNumber' field, then splunk wont go to the trouble of extracting those fields, which means they wont be preserved in the underlying job. This means that when we run our post-process search later, there will be no such field, and the search wont work as expected.

However I really recommend reading the documentation in that UI Examples view, because there are several other issues and best practices that you'll be better off learning earlier.

Also, the HiddenPostProcess/PostProcess confusion may come from the fact that HiddenPostProcess is the Splunk module, but PostProcess is the analogue of HiddenPostProcess over in the Sideview Utils app (an app I developed and that I make available on SB). the PostProcess module there offers a key advantage over the HiddenPostProcess module, in that you can substitute $foo$ tokens into the postprocess search, from interactive modules (ie TextField, Pulldown and Checkbox).

klee310
Communicator

Ok, so this is what I've discovered.

the module name is actually HiddenPostProcess, not just PostProcess... I'm not sure where I got "PostProcess" from, maybe some old documentation, etc... sigh...

next, you can't use tags in your search. I've tried replacing tags with the actual search that the original tag refers to, and everything works.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...