Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why splunk doesn't resolve stats count on postprocess ?

sfatnass
Contributor
‎09-09-2016 06:47 AM

when i try to run a stats count using postprocess splunk doesn't resolve the query search and i don't know why ?

this is my dashboard :

<form>
  <label>Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline.</description>
  <search id="internal_data">
      <query>index=_internal </query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
     <table>
      <title>Top Sourcetypes</title>
      <search base="internal_data">
          <query>stats count(uri_path)</query>
      </search>

    </table>
    <chart>
      <title>Events over Time</title>
      <search base="internal_data">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

  </row>
</form>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-09-2016 07:11 AM

Hi,

its a little tricky. Splunk runs all Dashboard searches in fast mode. So for your search index=_internal no fields are extracted during search time. This means you cannot do a stats command on "uri_path" because splunk just dont know the field in your postprocess search. just do

"index=_internal | fields *" for your basesearch and it will work.

https://answers.splunk.com/answers/152287/why-search-with-postprocessing-returns-no-results-in-dashb...

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-09-2016 07:11 AM

Hi,

its a little tricky. Splunk runs all Dashboard searches in fast mode. So for your search index=_internal no fields are extracted during search time. This means you cannot do a stats command on "uri_path" because splunk just dont know the field in your postprocess search. just do

"index=_internal | fields *" for your basesearch and it will work.

https://answers.splunk.com/answers/152287/why-search-with-postprocessing-returns-no-results-in-dashb...

regards

Reply
Solved! Jump to solution

sfatnass
Contributor
‎09-09-2016 08:41 AM

thx ^^ it worl perfectly

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-09-2016 09:32 AM

Basically you must apply a transforming command in your base search fields, stats, etc. Keep in mind that their is 100,000 event limit when using post process searches.

0 Karma
Reply
Solved! Jump to solution

sfatnass
Contributor
‎09-09-2016 01:35 PM

but it's possible to extend this limit?

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-09-2016 01:53 PM

Limits are controlled through limits.conf. I've never been able to ID a corresponding setting.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...