1) Technically your first postprocess isn't working correctly either although it may look approximately right. Your base search is
`set_internal_index` host=* sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-" user!="splunk-system-user" | rex "(?<run_time>\d+)ms"| bin _time span=15min | stats count by user, run_time
and then your postprocess search for top 10 users is just:
| top 10 user
However the top command just counts the number of incoming rows per user and ranks them according to that. In so doing it will not sum up the "count" field for each value of user, it will simply count incoming rows. So in this case because the base search ends with stats count by user, run_time , the top command will simply rank the users by how many distinct run_time values they each have which is probably not what you intended. You probably want to use a postprocess search of
| stats sum(run_time) as run_time by user
or possibly
| stats sum(count) as count by user
but I don't know which one is the one you mean.
2) As to the second postprocess search, the reason that's not working is that the postprocess search is:
$username$ | timechart eval(sum(run_time)/1000) by user
a) Since postprocess searches have to include the leading search command, (even if you intend the search search command), this is probably throwing an error. Unfortunately Splunk doesn't propagate this error anywhere, so the request will be quietly dying with an error 400 (bad request) or 500.
b) even search=bob wouldn't work here, because there is no longer any _raw text for the search command to check free-text search terms against. I think you mean user="$username$" . You probably want to have a postprocess search here of:
search user=$username$ | timechart eval(sum(run_time)/1000) as seconds
... View more
