Solved: post-process search to get a single value?

mitag · ‎04-24-2020

This is a follow up to my "simplifying a (field extraction error) dashboard?" question earlier today, and the new question is:

How do I structure my base and post-process searches to produce single value visualizations for the three calculated stats values: (1) count of events with errors, (2) w/o errors, and (3) the total - in addition to this?

sourcetype="tomcat:vantage" 
| eval "Field Extraction Error(s)" = if(isnull(message),"1","0")
| stats sparkline count by "Field Extraction Error(s)"

In other words the result should be something like this, where the single value visualizations are produced using base and post-process searches, as opposed to separate ones:

Thanks!

to4kawa · ‎04-24-2020

sample(use index=_internal😞

<dashboard>
  <label>Single sample</label>
  <search id="base2">
    <query>index=_internal
 | eval "Field Extraction Error(s)" = if(isnotnull(message),"1","0")
 | stats count sparkline by "Field Extraction Error(s)"
 | addcoltotals labelfield="Field Extraction Error(s)" label=""</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <single>
        <title>data quality: events with no FX Error(s)</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("0")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <table>
        <title>data quality: Field Extraction Error(s)</title>
        <search base="base2">
          <query>| table "Field Extraction Error(s)" sparkline count</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>data quality: FX Error(s)</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("1")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>data quality: Total</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>

you can do it.

View solution in original post

to4kawa · ‎04-24-2020

sample(use index=_internal😞

<dashboard>
  <label>Single sample</label>
  <search id="base2">
    <query>index=_internal
 | eval "Field Extraction Error(s)" = if(isnotnull(message),"1","0")
 | stats count sparkline by "Field Extraction Error(s)"
 | addcoltotals labelfield="Field Extraction Error(s)" label=""</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <single>
        <title>data quality: events with no FX Error(s)</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("0")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <table>
        <title>data quality: Field Extraction Error(s)</title>
        <search base="base2">
          <query>| table "Field Extraction Error(s)" sparkline count</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>data quality: FX Error(s)</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("1")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>data quality: Total</title>
        <search base="base2">
          <query>| search "Field Extraction Error(s)" IN ("")
| table count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>

you can do it.

mitag · ‎04-27-2020

Thank you - this works, and I learned a couple of things! P.S. A simplified version of your answer:

Base Search:

sourcetype="tomcat:vantage"
  | eval "Field Extraction Error(s)" = if(isnull(message),"Present","Not Present")
  | stats sparkline count by "Field Extraction Error(s)"
  | addcoltotals labelfield="Field Extraction Error(s)" label="Total Events"

Post-process searches:

| search "Field Extraction Error(s)" IN ("Present")
| table count

| table "Field Extraction Error(s)" sparkline count

| search "Field Extraction Error(s)" IN ("Total Events")
| table count

| search "Field Extraction Error(s)" IN ("Not Present")
| table count

post-process search to get a single value?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

post-process search to get a single value?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey