Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

implementing searchPostProcess

joydeep741
Path Finder
‎05-11-2015 05:28 AM

I have two almost similar queries as two panels in a dashboard. Can someone guide me how i can make use of searchPostProcessing in thies scenario
Query 1
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart count by traffictype

Query 2
index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS")

|timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

I am not able to write a common transforming search(which will act as the searchTemplate/base search) for these two queries even though they both are almost same except for the last part.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎05-11-2015 08:48 AM

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎05-11-2015 08:48 AM

Try doing both timechart functions in one base operation, and then in your postprocesses filter out the fields you want.

Base search:

... big common search
| timechart count, avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

Postprocess 1:

| fields _time count*

Postprocess 2:

| fields _time "Response Time*"
0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎05-11-2015 09:45 PM

Thanks. That worked..!!

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎05-11-2015 07:06 AM

Probably macros should the job for you.

Create a macro for your common search like this:

index=dotcom sourcetype=dotcom_access_log |eval traffictype=
case(
searchmatch("uri_path=/wcs/resources/store/10001 AND NOT uri_path=kiosk"),"API HITS US",
searchmatch("uri_path=/wcs/resources/store/20001 AND NOT uri_path=kiosk"),"API HITS CA",
searchmatch("uri_path=/cat_CL OR uri_path=/directory_"),"SEARCH HITS",
searchmatch("uri_path=/product_"),"PRODUCT PAGE HITS",
searchmatch("uri_path=daily*deals"),"DAILY DEALS HITS",
searchmatch("uri_path=kiosk"),"KIOSK HITS", 1==1, "DESKTOP HITS") to a macro named as you need.

And you can call it in search like this:

(tilde symbol)macro_name(tilde symbol) |timechart count by traffictype
(tilde symbol)macro_name(tilde symbol) | timechart avg(eval((response_time/1000)/1000)) as "Response Time" by traffictype

You can know more about macro here.

0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎05-11-2015 07:30 AM

But wouldn't that mean, i am actually doing the search twice ?
I wanted to do the common part of the search just once and use the results twice(saving time).

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...