Solved: Re: implementing searchPostProcess

joydeep741 · ‎05-11-2015

I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario
Query 1
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart count by traffictype

Query 2
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.

aweitzman · ‎05-11-2015

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

View solution in original post

aweitzman · ‎05-11-2015

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

joydeep741 · ‎05-11-2015

Thanks. That worked..!!

krish3 · ‎05-11-2015

Probably macros should the job for you.

Create a macro for your common search like this:

index=dotcom sourcetype=dotcom_access_log |eval traffictype= case( searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US", searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA", searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS", searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS", searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS", searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS") to a macro named as you need.

And you can call it in search like this:

(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype
(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

You can know more about macro here.

joydeep741 · ‎05-11-2015

But wouldn't that mean, i am actually doing the search twice ?
I wanted to do the common part of the search just once and use the results twice(saving time).

implementing searchPostProcess

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!