Solved: Re: implementing searchPostProcess

joydeep741 · ‎05-11-2015

I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario
Query 1
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart count by traffictype

Query 2
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.

aweitzman · ‎05-11-2015

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

View solution in original post

aweitzman · ‎05-11-2015

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

joydeep741 · ‎05-11-2015

Thanks. That worked..!!

krish3 · ‎05-11-2015

Probably macros should the job for you.

Create a macro for your common search like this:

index=dotcom sourcetype=dotcom_access_log |eval traffictype= case( searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US", searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA", searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS", searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS", searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS", searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS") to a macro named as you need.

And you can call it in search like this:

(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype
(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

You can know more about macro here.

joydeep741 · ‎05-11-2015

But wouldn't that mean, i am actually doing the search twice ?
I wanted to do the common part of the search just once and use the results twice(saving time).

implementing searchPostProcess

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!