Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why splunk doesn't resolve stats count on postprocess ?

sfatnass
Contributor
‎09-09-2016 06:47 AM

when i try to run a stats count using postprocess splunk doesn't resolve the query search and i don't know why ?

this is my dashboard :

<form>
  <label>Post Process Search</label>
  <description>Each panel post processes the base search through a separate search pipeline.</description>
  <search id="internal_data">
      <query>index=_internal </query>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
     <table>
      <title>Top Sourcetypes</title>
      <search base="internal_data">
          <query>stats count(uri_path)</query>
      </search>

    </table>
    <chart>
      <title>Events over Time</title>
      <search base="internal_data">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

  </row>
</form>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-09-2016 07:11 AM

Hi,

its a little tricky. Splunk runs all Dashboard searches in fast mode. So for your search index=_internal no fields are extracted during search time. This means you cannot do a stats command on "uri_path" because splunk just dont know the field in your postprocess search. just do

"index=_internal | fields *" for your basesearch and it will work.

https://answers.splunk.com/answers/152287/why-search-with-postprocessing-returns-no-results-in-dashb...

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-09-2016 07:11 AM

Hi,

its a little tricky. Splunk runs all Dashboard searches in fast mode. So for your search index=_internal no fields are extracted during search time. This means you cannot do a stats command on "uri_path" because splunk just dont know the field in your postprocess search. just do

"index=_internal | fields *" for your basesearch and it will work.

https://answers.splunk.com/answers/152287/why-search-with-postprocessing-returns-no-results-in-dashb...

regards

Reply
Solved! Jump to solution

sfatnass
Contributor
‎09-09-2016 08:41 AM

thx ^^ it worl perfectly

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-09-2016 09:32 AM

Basically you must apply a transforming command in your base search fields, stats, etc. Keep in mind that their is 100,000 event limit when using post process searches.

0 Karma
Reply
Solved! Jump to solution

sfatnass
Contributor
‎09-09-2016 01:35 PM

but it's possible to extend this limit?

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-09-2016 01:53 PM

Limits are controlled through limits.conf. I've never been able to ID a corresponding setting.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...