Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I do Field (column) selection for post process search in a dashboard panel?

uksysadmins
New Member
‎11-28-2016 02:43 PM

In a dashboard I'm trying to drive several charts off a single query and use post process search to select the fields that I want.
The timechart has a "by" clause and I wanted to select fields (columns in this case) for each chart based on the prefix which is the by field followed by a "-".
Assuming the by field is an "a" or a "b" I end up with fields like - _time, a-avgcpu,a-maxcpu,b-avgcpu,b-maxcpu
I wanted to chart them separately
So I tried <query> | fields _time,a-* and <query> | fields _time,b-*
For all the charts they just come up empty. Tried the equivalent search outside the dashboard app and it only displays the _time field.

Does using the by clause change something fundamental that I've missed to do with result names...is there another way to do this? ( I see from another question that it appears to be possible if there is no by clause, although they are also not using a wild card field selection in that question either)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-28-2016 03:55 PM

You'll want your base search to end with | timechart something by something, and each postprocess search to be | fields _* a-*. Make sure your field names after the timechart match exactly to the fields.
There's a little bit of magic hidden in fields like _span to drive timechart-specific rendering, such as the fancy date axis.

For a nicer way, consider this:

base search:
... | bin _time | stats avg(something) as avgsomething by _time splitfield
post process 1:
| search splitfield=a | fields - splitfield | timechart values(*) as *
post process 2:
| search splitfield=b | fields - splitfield | timechart values(*) as *

In general, you'll want to only use timechart at the end and stick to bin|stats for intermediate steps. That way you don't end up with very wide tables and dynamic/unknown field names caused by the split-by field.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...