Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I do Field (column) selection for post process search in a dashboard panel?

uksysadmins
New Member
‎11-28-2016 02:43 PM

In a dashboard I'm trying to drive several charts off a single query and use post process search to select the fields that I want.
The timechart has a "by" clause and I wanted to select fields (columns in this case) for each chart based on the prefix which is the by field followed by a "-".
Assuming the by field is an "a" or a "b" I end up with fields like - _time, a-avgcpu,a-maxcpu,b-avgcpu,b-maxcpu
I wanted to chart them separately
So I tried <query> | fields _time,a-* and <query> | fields _time,b-*
For all the charts they just come up empty. Tried the equivalent search outside the dashboard app and it only displays the _time field.

Does using the by clause change something fundamental that I've missed to do with result names...is there another way to do this? ( I see from another question that it appears to be possible if there is no by clause, although they are also not using a wild card field selection in that question either)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-28-2016 03:55 PM

You'll want your base search to end with | timechart something by something, and each postprocess search to be | fields _* a-*. Make sure your field names after the timechart match exactly to the fields.
There's a little bit of magic hidden in fields like _span to drive timechart-specific rendering, such as the fancy date axis.

For a nicer way, consider this:

base search:
... | bin _time | stats avg(something) as avgsomething by _time splitfield
post process 1:
| search splitfield=a | fields - splitfield | timechart values(*) as *
post process 2:
| search splitfield=b | fields - splitfield | timechart values(*) as *

In general, you'll want to only use timechart at the end and stick to bin|stats for intermediate steps. That way you don't end up with very wide tables and dynamic/unknown field names caused by the split-by field.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...