Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why does this form search work

usd0872
Path Finder
‎08-02-2013 05:22 AM

Can anybody enlighten me on why the form below (shortened) works when it's designed exactly this way, but not in any other? (using splunk 4.3.6)

Specifically, in the <searchPostProcess> I wanted to use something like

stats sum(r) as "requests" by $resolution$

or even move the whole second stats part into the <serachPostProcess> section,

or use fields $resolution$ requests instead of spelling out all possibilities for $resolution$,
but $resolution$ is not picked up in there.

The same when trying with multiple searches, placing into each visualization will not pick up $resolution$ either.

Bug in my thinking? Bug in the software? No bug at all? (Either way bugging me...)

<form>
  <label>Longtime Statistics</label>

  <searchTemplate>
    index=xxx_xxxxxxx_app_summary search_name="summaryfill_longtime_statistics"
      | eval day=strftime(_time, "%Y-%m-%d")
      | eval week=strftime(_time, "%Y-wk%V")
      | eval month=strftime(_time, "%Y-%m")
        | stats
                count AS r
                dc(sessionid) as u
                sum(is_longrunning) as d
          by day, week, month
        | stats
                avg(r) AS avg_r
                avg(u) AS avg_u
                avg(d) AS avg_d
                sum(r) AS requests
                sum(u) as "unique sessionid's"
                sum(d) as "duration > 10s"
          by $resolution$
          | eval "requests avg/day"=round(avg_r,0)
          | eval "unique sessionid's avg/day"=round(avg_u,0)
          | eval "duration > 10s avg/day"=round(avg_d,0)
    | rename search_documentation AS "

    01)    select index and search_name (from summary index filling search)
    02-04) calculate a day, week and month fields used to segment by later on
    05-09) create a statistics table with
           - total count of requests (r)
           - number of unique sessionid's (u)
           - total of requests with the longrunning flag set (d)
           by day, week and month identifiers (for further segmentation
           further down)
    10-17) take the statistics table just produced and expand it with averages
           so it contains the following fields, by resolution
           (resolution is day/week/month as selected by radiobutton)
           - average of requests per day (avg_r)
           - average of unique sessionid's per day (avg_u)
           - average of longrunning requests per day (avg_d)
           - total number of requests (requests)
           - number of unique sessionid's (unique sessionid's)
           - total of requests with the longrunning flag set (duration > 10s)
    18-20) the averages are floating point, but we want integers, so they
           are rounded
    "
  </searchTemplate>

  <fieldset autoRun="true" submitButton="false">

    <input type="time" searchWhenChanged="true">
      <label>Timerange:</label>
      <default>Year to date</default>
    </input>
    
    <input type="radio" token="resolution" searchWhenChanged="true">
      <label>Resolution:</label>
      <default>monthly</default>
      <choice value="day">daily</choice>
      <choice value="week">weekly</choice>
      <choice value="month">monthly</choice>
    </input>
    
  </fieldset>

  <row>
    <chart>
      <searchPostProcess>fields month week day requests</searchPostProcess>
      <!-- chart options removed -->
    </chart>
  </row>
  
  <!-- remaining visualizations removed -->

</form>
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

cphair
Builder
‎08-02-2013 01:46 PM

In advanced XML, once you use an intention ($variable$) in a search, it is "consumed" and not available for downstream modules unless you explicitly reassign it. That may be what you're encountering--the use of $resolution$ in the search template might make it unavailable for the post process. Check out the adv. XML (add ?showsource=1 to the URL) if you're feeling adventurous. Also look at http://splunk-base.splunk.com/answers/2218/adding-intention-to-second-drilldown-search and http://splunk-base.splunk.com/answers/3472/drilldown-with-stringreplace-intention for reference.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cphair
Builder
‎08-02-2013 01:46 PM

In advanced XML, once you use an intention ($variable$) in a search, it is "consumed" and not available for downstream modules unless you explicitly reassign it. That may be what you're encountering--the use of $resolution$ in the search template might make it unavailable for the post process. Check out the adv. XML (add ?showsource=1 to the URL) if you're feeling adventurous. Also look at http://splunk-base.splunk.com/answers/2218/adding-intention-to-second-drilldown-search and http://splunk-base.splunk.com/answers/3472/drilldown-with-stringreplace-intention for reference.

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎08-06-2013 07:44 AM

That starts to make sense. It appears I was mixing the two approaches documented at http://docs.splunk.com/Documentation/Splunk/5.0.4/Viz/Exampleform#Use_the_same_search_in_multiple_pa... in an incompatible way. With <searchTemplate> using $resolution$ multiple times seems to work, but not with <searchPostProcess>.

Thanks for explaining.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top