Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

SimpleResultsTable in HiddenPostProcess can not work

dianbo_1
Path Finder
‎06-01-2010 10:52 AM

Hi,

I want to create a dashboard with 4 tables. I used a hidden search with 4 hiddenpostprocess(s). But all 4 tables can not display. When I change tables to charts, all work well. Any suggestions?

The version is 4.1.2.

Here's a simpler example pasted below - in this example i add two hiddenpostprocesses. One to generate a "single value" and one to generate a "result table". The "single value" was rendered well but the "results table" display nothing.

<view  template="dashboard.html"  stylesheet="forgroupdashboard.css">
  <label>Dashboard of PPTest</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param> 
  </module>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="showActionsMenu">True</param>
  </module> 

<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="selected">Last 16 days</param>
    <param name="searchWhenChanged">True</param>

    <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1">
        <param name="search">eventtype="LOGIN_FAIL"</param>

        <module name="HiddenPostProcess" layoutPanel="panel_row1_col2">
            <param name="search">stats count</param>
            <module name="SingleValue">
                <param name="field">count</param>
        <param name="beforeLabel">Total failed count:</param>
        </module>
        </module>

        <module name="HiddenPostProcess" layoutPanel="panel_row2_col1">
            <param name="search">stats count as Count by UserID | sort -Count | head 20 </param>
            <module name="SimpleResultsTable">
                <param name="entityName">results</param>
                <param name="dataOverlayMode">heatmap</param>
                <param name="drilldown">all</param>
                <module name="ConvertToDrilldownSearch">
                <module name="ViewRedirector">
                    <param name="popup">True</param>
                    <param name="viewTarget">ipop_advanced_search_all</param>
                </module>
            </module>
        </module>
    </module>

</module>

</module>

</view>

Thanks,

Dianbo

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-07-2010 12:09 AM

OK. There's a central issue around using PostProcess

http://www.splunk.com/base/Documentation/4.1.2/Developer/PostProcess

This is a confusing topic and although its written up in the docs, the explanation there could probably be improved.

When splunkd kicks off the 'base search', meaning the 'eventtype=LOGIN_FAIL' search, it sees no reason to do any extra work, so it wont do various nontrivial things like field extractions and summaries etc. It will do exactly the amount of work required to fulfill that search, extracting any fields referred to by the eventtype for instance. However it will not do any more work than that.

Now at a later point your postProcess comes in, and its referring to an extracted field called UserId. Well this field doesnt exist in these results.

a quick solution is just to put a | fields UserId on the end of your base search.

However I recommend checking out the example in the 'ui_examples' app that's called "Using postProcess with dashboards", and in particular reading what that view has to say and the warnings it has.

View solution in original post

Reply
Solved! Jump to solution

kenchisho
Path Finder
‎03-25-2011 03:39 PM

I am having the same problem trying to get the SimpleResultsTable working with a HiddenPostProcess search...

the paginator displays showing the correct number of pages but no table...

How did you get arround this

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-07-2010 12:09 AM

OK. There's a central issue around using PostProcess

http://www.splunk.com/base/Documentation/4.1.2/Developer/PostProcess

This is a confusing topic and although its written up in the docs, the explanation there could probably be improved.

When splunkd kicks off the 'base search', meaning the 'eventtype=LOGIN_FAIL' search, it sees no reason to do any extra work, so it wont do various nontrivial things like field extractions and summaries etc. It will do exactly the amount of work required to fulfill that search, extracting any fields referred to by the eventtype for instance. However it will not do any more work than that.

Now at a later point your postProcess comes in, and its referring to an extracted field called UserId. Well this field doesnt exist in these results.

a quick solution is just to put a | fields UserId on the end of your base search.

However I recommend checking out the example in the 'ui_examples' app that's called "Using postProcess with dashboards", and in particular reading what that view has to say and the warnings it has.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎01-04-2013 12:48 PM

Note that if you use Sideview utils, you can use the Pager module instead of the Paginator module, and the Pager module will correctly account for the effect of the postProcess search on the number of results, whereas the Paginator will still not.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-08-2010 04:57 PM

Unfortunately the Paginator (and also the SimpleResultsHeader/ResultsHeader modules) still dont work with the Paginator. Admittedly this makes the tables rather limited but we should have some way forward for it in our next big release.

0 Karma
Reply
Solved! Jump to solution

dianbo_1
Path Finder
‎06-08-2010 11:27 AM

Hi nick, thanks for your help. I overlooked ui_examples's change from 3.4 to 4.1. Now, all tables can display well but i come into another problem. I add a paginator module between HiddenPostProcess and SimpleResultsTable (I add this change to the code i posted in the next answer), but it can not work correctly. It displays more that 100 pages of HiddenSearch other that 2 pages of results after stats command. Is it a bug or I do something wrong? Please help. Thanks. Dianbo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...