Dashboards & Visualizations

addcoltotals ignored in HiddenPostProcess ?

Alex_Megremis
Explorer

If I have

<module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls">
    <param name="search">index=myIndex 
            eventtype="EVENTS_TYPE_01" OR  
            eventtype="EVENTS_TYPE_02" OR
            eventtype="EVENTS_TYPE_03"
        | timechart span="1d" count(eventtype) by eventtype
        | addtotals rows=t cols=t</param>

it works as expected. I get a Total row and column on a table

However, if I do

<module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls">
    <param name="search">index=myindex01
            eventtype="EVENTS_TYPE_01" OR  
            eventtype="EVENTS_TYPE_02" OR
            eventtype="EVENTS_TYPE_03"
        | timechart span="1d" count(eventtype) by eventtype
    <module name="HiddenPostProcess">
        <param name="search"> | addtotals rows=t cols=t</param>

which I would be doing to avoid having the totals column mess up my chart's Y axis, for example, the Totals row isn't there. It's the same if I do

        <param name="search"> | addtotals | addcoltotals</param>

EDIT: The behaviour is exhibited even in a clean XML with a hierarchy of nothing but:

<module name="HiddenSearch">
    <module name="HiddenPostProcess">
        <module name="SimpleResultsTable">

Does anyone have any idea why this is, and how to fix it?

I vaaaaguely have a recollection of this being a known issue of some sort, but I'm probably wrong.

All help appreciated.

Thanks!

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

UPDATE: sorry in my earlier answer I missed the fact that the total column was being added correctly but it was just the row of totals at the bottom that was not.

There's an outside chance that the Paginator is just cutting it off. The Paginator module was never extended to support postProcess, so it may be requesting the data in such a way that the last row tacked on by postProcess gets ignored. Maybe throw a head and/or tail command in there to see if you can get it to appear, just to troubleshoot.

PREVIOUS ANSWER:

What's the search before the addtotals command? It's possible that the search is just a plain old events search. If that's the case then Splunk wont know at search time that it is expected to extract all the fields, so it will only extract fields that are referred to in the search terms.

Then at postprocess-time, the UI asks for the fields to be totalled up, but there arent any numeric fields so hence no total?

the pitfalls with postprocess are documented here http://www.splunk.com/base/Documentation/4.1.6/Developer/PostProcess and perhaps a bit easier to follow in the ui_examples app's view 'using postprocess with dashboards'.

At any rate, knowing at least what kind of search is the key to this question. It really should work fine.

Side Note: "autoRun=False" will do nothing and is exactly the same as leaving it undefined. Since it's dangerous to have more than one autoRun="True" in any single subbranch of the config I recommend deleting autoRun="False" whenever you see it.

0 Karma

Alex_Megremis
Explorer

I've edited the question to reflect this.

0 Karma

Alex_Megremis
Explorer

Thanks.

No - sadly the paginator doesn't seem to have any relation. I have cleaned up the XML so that the hierarchy contains only:

HiddenSearch
- HiddenPostProcess with addtotals or addcoltotals calls
- SimpleResultsTable

I still lose the column totals.

Any other ideas?

0 Karma

sideview
SplunkTrust
SplunkTrust

Ah! My apologies I read too fast. See updated answer.

0 Karma

Alex_Megremis
Explorer

Thanks for answering!

I have edited the question to reveal the structure of the search. All the resulting fields are numeric, apart from the date.

As I mentioned, I still get totals per row, but I lose the totals per column.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...