I want to create a dashboard with 4 tables. I used a hidden search with 4 hiddenpostprocess(s). But all 4 tables can not display. When I change tables to charts, all work well. Any suggestions?
The version is 4.1.2.
Here's a simpler example pasted below - in this example i add two hiddenpostprocesses. One to generate a "single value" and one to generate a "result table". The "single value" was rendered well but the "results table" display nothing.
<view template="dashboard.html" stylesheet="forgroupdashboard.css"> <label>Dashboard of PPTest</label> <module name="AccountBar" layoutPanel="appHeader"/> <module name="AppBar" layoutPanel="navigationHeader"/> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="clearOnJobDispatch">False</param> <param name="maxSize">1</param> </module> <module name="TitleBar" layoutPanel="viewHeader"> <param name="showActionsMenu">True</param> </module> <module name="TimeRangePicker" layoutPanel="panel_row1_col1"> <param name="selected">Last 16 days</param> <param name="searchWhenChanged">True</param> <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1"> <param name="search">eventtype="LOGIN_FAIL"</param> <module name="HiddenPostProcess" layoutPanel="panel_row1_col2"> <param name="search">stats count</param> <module name="SingleValue"> <param name="field">count</param> <param name="beforeLabel">Total failed count:</param> </module> </module> <module name="HiddenPostProcess" layoutPanel="panel_row2_col1"> <param name="search">stats count as Count by UserID | sort -Count | head 20 </param> <module name="SimpleResultsTable"> <param name="entityName">results</param> <param name="dataOverlayMode">heatmap</param> <param name="drilldown">all</param> <module name="ConvertToDrilldownSearch"> <module name="ViewRedirector"> <param name="popup">True</param> <param name="viewTarget">ipop_advanced_search_all</param> </module> </module> </module> </module> </module> </module> </view>
OK. There's a central issue around using PostProcess
This is a confusing topic and although its written up in the docs, the explanation there could probably be improved.
When splunkd kicks off the 'base search', meaning the 'eventtype=LOGIN_FAIL' search, it sees no reason to do any extra work, so it wont do various nontrivial things like field extractions and summaries etc. It will do exactly the amount of work required to fulfill that search, extracting any fields referred to by the eventtype for instance. However it will not do any more work than that.
Now at a later point your postProcess comes in, and its referring to an extracted field called UserId. Well this field doesnt exist in these results.
a quick solution is just to put a
| fields UserId on the end of your base search.
However I recommend checking out the example in the 'ui_examples' app that's called "Using postProcess with dashboards", and in particular reading what that view has to say and the warnings it has.
Hi nick, thanks for your help. I overlooked ui_examples's change from 3.4 to 4.1. Now, all tables can display well but i come into another problem. I add a paginator module between HiddenPostProcess and SimpleResultsTable (I add this change to the code i posted in the next answer), but it can not work correctly. It displays more that 100 pages of HiddenSearch other that 2 pages of results after stats command. Is it a bug or I do something wrong? Please help. Thanks. Dianbo
Unfortunately the Paginator (and also the SimpleResultsHeader/ResultsHeader modules) still dont work with the Paginator. Admittedly this makes the tables rather limited but we should have some way forward for it in our next big release.
Note that if you use Sideview utils, you can use the Pager module instead of the Paginator module, and the Pager module will correctly account for the effect of the postProcess search on the number of results, whereas the Paginator will still not.
I am having the same problem trying to get the SimpleResultsTable working with a HiddenPostProcess search...
the paginator displays showing the correct number of pages but no table...
How did you get arround this