Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

implementing searchPostProcess

joydeep741
Path Finder
‎05-11-2015 05:28 AM

I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario
Query 1
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart count by traffictype

Query 2
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎05-11-2015 08:48 AM

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎05-11-2015 08:48 AM

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"
0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎05-11-2015 09:45 PM

Thanks. That worked..!!

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎05-11-2015 07:06 AM

Probably macros should the job for you.

Create a macro for your common search like this:

index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS") to a macro named as you need.

And you can call it in search like this:

(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype
(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

You can know more about macro here.

0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎05-11-2015 07:30 AM

But wouldn't that mean, i am actually doing the search twice ?
I wanted to do the common part of the search just once and use the results twice(saving time).

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...