Hi,
I am creating a custom view dashboard. In that I'm trying to utilize the same search to extract a single value and then modify that search slightly to put the rest of the results in a column chart. I would think that this would be fairly easy, but I'm missing something. I could just have two separate searches but that would be an inefficient use of resources.
In the example below I try to create a child "HiddenSearch". I don't get any errors, but all I see in the view is "No Result Data"
Any help would be appreciated.
<view template="dashboard.html">
<label>myapp Ideitity Verification</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="TimeRangePicker" group="Success Rate" layoutPanel="panel_row1_col1">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="GenericHeader">
<param name="label">Succcess Rate</param>
<module name="HiddenSearch" autoRun="True">
<param name="search">sourcetype="myapp_app_audit" End | stats count(eval((operation="ResetPIN" AND ref_step="Resolve" AND step="CheckAnswer") OR (operation="SetACI" AND ref_step="Resolve" AND (step="NeedNewCID" OR step="ForgotCID")) OR (operation="CreatePIN" AND ref_step="Resolve" AND match(step,"Register*")) OR (operation="ChangePIN" AND step="Change" AND ref_step="Resolve"))) AS Succeeded, count(eval(ref_step="InitNoAuth" AND step="Resolve")) AS Attempted | eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>
<module name="SingleValue">
<param name="beforeLabel">Success Rate</param>
<param name="format">percent</param>
<param name="field">SuccessRate</param>
</module>
<module name="HiddenSearch" autoRun="True">
<param name="search">|fields Attempted Failed Succeeded|untable "status" "status" "count"</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="primaryAxisTitle.text">Accumulated Totals</param>
<param name="secondaryAxisTitle.text">Transaction Count</param>
<param name="legend.placement">none</param>
<module name="JobProgressIndicator" />
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</module>
</module>
</view>
You need to use the HiddenPostProcess
module to apply commands to data from a higher-level search. HiddenSearch
will just run a different search from scratch, and in this case, just running the command |fields ...
will produce no data.
Update:
The charts do not want data in untable
d format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable
, you should use:
| fields Attempted Succeeded Failed | eval Units="count"
The name of the field and value don't matter.
I'm leaving the full code for what I am trying to do now that I know "HiddenPostProcess" exists. The |untable command seems to not work.
<view template="dashboard.html">
<label>Test Area</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
<param name="selected">Last 7 days</param>
<param name="searchWhenChanged">True</param>
<module name="HiddenSearch" autoRun="True">
<param name="search">(sourcetype="corps_app_error" NOT monitoring:W_ResponseTimeThresholdExceeded NOT common:F_RMDC_MissingRequiredValue NOT "Relationship * not supported") OR (sourcetype="corps_app_audit" End step="Resolve") | transaction ReqId | stats count(ReqId) AS Attempted, count(eval(NOT sourcetype="corps_app_error")) AS Succeeded |eval Failed=Attempted-Succeeded |eval SuccessRate=round(Succeeded/Attempted,2)</param>
<module name="SingleValue">
<param name="beforeLabel">Success Rate</param>
<param name="format">percent</param>
<param name="field">SuccessRate</param>
</module>
<module name="HiddenPostProcess">
<param name="search">|fields Attempted Failed Succeeded |untable "status" "status" "count"</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="primaryAxisTitle.text">Identify User</param>
<param name="secondaryAxisTitle.text">Transaction Count</param>
<param name="legend.placement">None</param>
<module name="JobProgressIndicator" />
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</module>
</view>
You need to use the HiddenPostProcess
module to apply commands to data from a higher-level search. HiddenSearch
will just run a different search from scratch, and in this case, just running the command |fields ...
will produce no data.
Update:
The charts do not want data in untable
d format. They need it in tables, where each series is a column. However, it also requires an x field to indicate the series grouping name/id. Assuming you just want three columns displayed (Attempted, Succeeded, Failed), to format your original search for the chart, instead of untable
, you should use:
| fields Attempted Succeeded Failed | eval Units="count"
The name of the field and value don't matter.
Actually I kind of get what you are saying. I can make the chart if I use "Units" but how do I make the chart use that as my x-axis. It certainly isn't doing it in any way I can figure out.
Well, my table got messed up in comment formatting. It's basically a table with headers status & count. Then row 1, 2, 3.
I don't think that's right for what I am trying to do. My chart is a summation, not a chart over time. I have only been able to produce the chart I want by getting it in the following format.
status count
1 Attempted 658
2 Failed 122
3 Succeeded 536
So, I'm still a little stuck in that area. When I run this from the search app it works great and the chart is exactly what I want. When I do it in the "view" it gets messed up.
Thank you for that. I see that documentation. It is only partially working for me though. The initial search works and then it appears that the HiddenPostProcess kind of works, but it seems to stumble. I'm trying to turn this into a column chart and the use of the |untable command doesn't reorient the table like it does in the search bar.
Any suggestions for a different way to produce the same table is certainly welcome.
Oh, that's interesting...it's not in the online docs. I'll file a bug on that. In general, you can see docs for the modules in your own Splunk instance by going to http://localhost:8000/modules though.
Where is this documented?
addtotals