Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- implementing searchPostProcess
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario
Query 1
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")
|timechart count by traffictype
Query 2
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")
|timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype
I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.
Base search:
... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype
Postprocess 1:
| fields _time count*
Postprocess 2:
| fields _time "Response Time*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.
Base search:
... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype
Postprocess 1:
| fields _time count*
Postprocess 2:
| fields _time "Response Time*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. That worked..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably macros should the job for you.
Create a macro for your common search like this:
index=dotcom sourcetype=dotcom_access_log |eval traffictype= to a macro named as you need.
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")
And you can call it in search like this:
(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype
(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype
You can know more about macro here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But wouldn't that mean, i am actually doing the search twice ?
I wanted to do the common part of the search just once and use the results twice(saving time).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
