Developing for Splunk Enterprise
Highlighted

postprocess chaining - multiple postprocess searches

Communicator

Hello,

I was wondering if anyone have successfully done a chain of postprocesses?

I'm using the django template {% postprocess ... %} but if I try to chain two or three postprocesses, I get wrong results. Here is below a very simple example, where I'm expecting the table4 to show a stats table but this is not the case. Any work around for this?

{% block content %}
    {% table id="table1" managerid="search1" pageSize="10" %}
    {% table id="table2" managerid="postproc1_1" pageSize="10" %}
    {% table id="table3" managerid="postproc2" pageSize="10" %}
    {% table id="table4" managerid="postproc3" pageSize="10" %}
{% endblock content%}

{% block managers %}
    {% searchmanager
        id="search1"
        search="index=_internal | head 1000 | fields - _raw | fields sourcetype"
        earliest_time="-4h@h"
        latest_time="now"
        cache=False
        preview=False
        exec_mode="blocking" %}

    {% postprocessmanager
        id="postproc1"
        managerid="search1"
        search="search sourcetype=splunk*" %}

    {% postprocessmanager
        id="postproc1_1"
        managerid="postproc1"
        search=" search sourcetype!=splunkd | stats count as total by sourcetype" %}

    {% postprocessmanager
        id="postproc2"
        managerid="postproc1"
        search="search sourcetype=splunkd | stats count by sourcetype" %}

    {% postprocessmanager
        id="postproc3"
        managerid="postproc1_1"
        search="search sourcetype=splunk* " %}

{% endblock managers %}

Regards,
Olivier

Highlighted

Re: postprocess chaining - multiple postprocess searches

Path Finder

Tried to do it just now with javascript and basically you can't chain it because the postprocessmanager doesn't have the same functionality as the searchmanager.

Really bad Splunk Design, as this it's very inefficient to keep having to access the data from the searchmanager.

0 Karma