Splunk Search

Single Value Invalid field!

Dark_Ichigo
Builder

Im having this problem where I have a Macro: FILLNULL | eval POINT = case(Forecast>=SLA ,Forecast) | fields POINT | delta POINT | where POINT>0 | fields _time | head 1 | convert ctime(_time) as MY

I want to use this macro to populate a "Single Value" on my dashboard:

 <module name="ViewstateAdapter">
                                <param name="strictMode">True</param>
                                <module name="HiddenPostProcess">
                                        <param name="search">`SLA_TouchPAD`</param>
                                                <module name="SingleValue">
                                                        <param name="field">MY</param>
                                                 <param name="beforeLabel">TouchPad:</param>
                                                </module>
                                        </module>
                                </module>
                        </module>

But for some reason no matter what I do it displays that the field is Invalid?

I noticed others were having problems with this, but the search that my postprocesses adds to, only uses the exact fields that are extracted from the end of the main search, so what's the problem here?

I have taken a look at the UI_Examples app, not much help there in this case.

0 Karma
1 Solution

Dark_Ichigo
Builder

Thanks gkanapathy, but I managed to locate the issue, apparently my search macro had a number of parameters that were not visible to the HiddenPostProcess, so basically all I had to do was move it up a couple of Modules in order for it to be more visible to where those parameters were being generated.

View solution in original post

0 Karma

Dark_Ichigo
Builder

Thanks gkanapathy, but I managed to locate the issue, apparently my search macro had a number of parameters that were not visible to the HiddenPostProcess, so basically all I had to do was move it up a couple of Modules in order for it to be more visible to where those parameters were being generated.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You need to show us your main search. A HiddenPostProcess can only run on fields that are returned from the main search. However, the main search results are optimized down before they are given the the HiddenPostProcess. In particular, if you don't explicitly use a field in the main search, it will be removed from the results, and therefore unavailale to the post process step.

0 Karma

Ant1D
Motivator

Does your macro work if you run it as a normal search? If it does then it might work if you add the following pipe to the end of your search: | count

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...