Firstly, see my pastebin
Base search:
sourcetype=applog source!=*jboss-*GA/* | transaction transactionid keepevicted=t | fields _time, ResponseType, RequestType, PlatformName, ErrorMessage, exception, exception_message
PostProcess1:
search ResponseType="ERROR_SERVER" | table _time, RequestType, exception, exception_message, ErrorMessage
PostProcess2:
search ResponseType="ERROR_UNKNOWN" | table _time, ErrorMessage, PlatformName, exception
Neither Table module shows results for its respective PostProcess.
I know some questions are going to come up regarding why I'm doing it this way. I understand my method of accomplishing this may not be the best, so please offer suggestions for improvement.
Why am I just grabbing transaction'ed events for my base search? The data I need to display won't appear in the event that has ResponseType=ERROR_SERVER or ResponseType=ERROR_UNKNOWN. It will appear in another event with the same transactionid. If you can think of a better way to put the data together, please tell me.
Why am I using keepevicted=t? No clue. I don't get results when I don't have that in there. Educate me?
Why am I adding fields at the end of my base search? Per the PostProcess documentation in the Sideview app, Splunk will discard fields from the base search that it has deemed unimportant. By explicitly telling Splunk that I want those fields, I think that should bypass that problem. Maybe I'm wrong?
So yeah, no idea why I'm not getting results. Running the base search in combination with the PostProcess does yield results. Help?
... View more