Splunk Search

why does this form search work

usd0872
Path Finder

Can anybody enlighten me on why the form below (shortened) works when it's designed exactly this way, but not in any other? (using splunk 4.3.6)

Specifically, in the <searchPostProcess> I wanted to use something like

stats sum(r) as "requests" by $resolution$

or even move the whole second stats part into the <serachPostProcess> section,

or use fields $resolution$ requests instead of spelling out all possibilities for $resolution$,
but $resolution$ is not picked up in there.

The same when trying with multiple searches, placing into each visualization will not pick up $resolution$ either.

Bug in my thinking? Bug in the software? No bug at all? (Either way bugging me...)

<form>
  <label>Longtime Statistics</label>

  <searchTemplate>
    index=xxx_xxxxxxx_app_summary search_name="summaryfill_longtime_statistics"
      | eval day=strftime(_time, "%Y-%m-%d")
      | eval week=strftime(_time, "%Y-wk%V")
      | eval month=strftime(_time, "%Y-%m")
        | stats
                count AS r
                dc(sessionid) as u
                sum(is_longrunning) as d
          by day, week, month
        | stats
                avg(r) AS avg_r
                avg(u) AS avg_u
                avg(d) AS avg_d
                sum(r) AS requests
                sum(u) as "unique sessionid's"
                sum(d) as "duration > 10s"
          by $resolution$
          | eval "requests avg/day"=round(avg_r,0)
          | eval "unique sessionid's avg/day"=round(avg_u,0)
          | eval "duration > 10s avg/day"=round(avg_d,0)
    | rename search_documentation AS "

    01)    select index and search_name (from summary index filling search)
    02-04) calculate a day, week and month fields used to segment by later on
    05-09) create a statistics table with
           - total count of requests (r)
           - number of unique sessionid's (u)
           - total of requests with the longrunning flag set (d)
           by day, week and month identifiers (for further segmentation
           further down)
    10-17) take the statistics table just produced and expand it with averages
           so it contains the following fields, by resolution
           (resolution is day/week/month as selected by radiobutton)
           - average of requests per day (avg_r)
           - average of unique sessionid's per day (avg_u)
           - average of longrunning requests per day (avg_d)
           - total number of requests (requests)
           - number of unique sessionid's (unique sessionid's)
           - total of requests with the longrunning flag set (duration > 10s)
    18-20) the averages are floating point, but we want integers, so they
           are rounded
    "
  </searchTemplate>

  <fieldset autoRun="true" submitButton="false">

    <input type="time" searchWhenChanged="true">
      <label>Timerange:</label>
      <default>Year to date</default>
    </input>
    
    <input type="radio" token="resolution" searchWhenChanged="true">
      <label>Resolution:</label>
      <default>monthly</default>
      <choice value="day">daily</choice>
      <choice value="week">weekly</choice>
      <choice value="month">monthly</choice>
    </input>
    
  </fieldset>

  <row>
    <chart>
      <searchPostProcess>fields month week day requests</searchPostProcess>
      <!-- chart options removed -->
    </chart>
  </row>
  
  <!-- remaining visualizations removed -->

</form>
Tags (2)
1 Solution

cphair
Builder

In advanced XML, once you use an intention ($variable$) in a search, it is "consumed" and not available for downstream modules unless you explicitly reassign it. That may be what you're encountering--the use of $resolution$ in the search template might make it unavailable for the post process. Check out the adv. XML (add ?showsource=1 to the URL) if you're feeling adventurous. Also look at http://splunk-base.splunk.com/answers/2218/adding-intention-to-second-drilldown-search and http://splunk-base.splunk.com/answers/3472/drilldown-with-stringreplace-intention for reference.

View solution in original post

0 Karma

cphair
Builder

In advanced XML, once you use an intention ($variable$) in a search, it is "consumed" and not available for downstream modules unless you explicitly reassign it. That may be what you're encountering--the use of $resolution$ in the search template might make it unavailable for the post process. Check out the adv. XML (add ?showsource=1 to the URL) if you're feeling adventurous. Also look at http://splunk-base.splunk.com/answers/2218/adding-intention-to-second-drilldown-search and http://splunk-base.splunk.com/answers/3472/drilldown-with-stringreplace-intention for reference.

0 Karma

usd0872
Path Finder

That starts to make sense. It appears I was mixing the two approaches documented at http://docs.splunk.com/Documentation/Splunk/5.0.4/Viz/Exampleform#Use_the_same_search_in_multiple_pa... in an incompatible way. With <searchTemplate> using $resolution$ multiple times seems to work, but not with <searchPostProcess>.

Thanks for explaining.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...