Splunk Search
Highlighted

Post search stucks

Communicator

Hi,

I tried to use post search to populate list options:

    <search id="baseSearch">
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" 
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
    </search>
    <fieldset submitButton="false">
    <input type="time" token="field2">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search base="baseSearch">
        <query>
          stats count by deptcode
        </query>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input>
  </fieldset>

However, using single search works as expected:

    <input type="dropdown" token="d_name" searchWhenChanged="true">
      <label>Select a department</label>
      <choice value="*">All</choice>
      <search>
        <query>
          <![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" | stats count by deptcode
          ]]>
        </query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
      </search>
      <fieldForLabel>deptcode</fieldForLabel>
      <fieldForValue>deptcode</fieldForValue>
    </input

Post search in panels in the same form also not working. Would anyone please help?
Sorry for the newbie question.

Thanks a lot.
Regards,
/ST Wong

0 Karma
Highlighted

Re: Post search stucks

SplunkTrust
SplunkTrust

Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding

your search | fields deptcode,other fields>

View solution in original post

0 Karma
Highlighted

Re: Post search stucks

Communicator

Thanks. The drop down list works after appending "fields" to the base search. May I know the reason behind?

However, post search in panels still not working (just "waiting for data"). e.g.

    <panel>
      <title>Time distribution of browser for department $d_name$</title>
      <chart>
        <search base="baseSearch">
          <query>
            search deptcode=$d_name$ | rename useragent as http_user_agent | lookup user_agents http_user_agent | timechart count by ua_family usenull=f useother=f
          </query>
        </search>

Again, using full search instead of base+post search works before. Would you help again?

Thanks a lot.

0 Karma
Highlighted

Re: Post search stucks

SplunkTrust
SplunkTrust

See the details of search mode here : http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changethesearchmode

The user field extraction might not get effected when it runs in smart/fast mode.

For your second issue, try the same trick by adding fields at the end of drop down search

ie :

stats count by deptcode|fields deptcode

If it's not working , click on the search icon on the panel (below) and see what's the final search it's running. From there you will be able to identify

0 Karma
Highlighted

Re: Post search stucks

Communicator

Got it. Passing more fields in base search makes post search work, however, the time range earliest and latest nodes specified in base search can't be passed to post searches. I also can't specify or nodes in post search (gives unknown node error if i specify them in post search). Probably something else is missed in my code....

0 Karma
Highlighted

Re: Post search stucks

Communicator

Sorry that i accidentally added token="xxx" in time picker instead of using default timetok. It works after removing the token field.
Somes post-process searches can only use default time
tok, right?

0 Karma