Splunk Web Framework Component Reference

PostProcessManager

Description

The PostProcess manager encapsulates a post-process search job, which is based on a main reporting search.

Documentation

Search managers

How to create a search manager using SplunkJS Stack

How to create a search manager using Django Bindings

Library path

splunkjs/mvc/postprocessmanager

Properties

Name	Default value	Description
id		Required. The unique ID for this control.
managerid	`null`	The ID of the search manager (the base search) to bind this control to.
search	""	The post-process search query.

Search properties

Name	Description
auto_cancel	The number of seconds of inactivity after which to automatically cancel a job. 0 means never auto-cancel.
auto_finalize_ec	The number of events to process after which to auto-finalize the search. 0 means no limit.
auto_pause	The number of seconds of inactivity after which to automatically pause a job. 0 means never auto-pause.
earliest_time	A time string that specifies the earliest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string. For a real-time search, specify "rt".
enable_lookups	A Boolean that indicates whether to apply lookups to events.
exec_mode	An enum value that indicates the search mode ("blocking", "oneshot", or "normal").
force_bundle_replication	A Boolean that indicates whether this search should cause (and wait depending on the value of "sync_bundle_replication") bundle synchronization with all search peers.
id	A string that contains a search ID. If unspecified, a random ID is generated.
label	A custom name created for this search.
latest_time	A time string that specifies the latest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string. For a real-time search, specify "rt".
max_count	The number of events that can be accessible in any given status bucket.
max_time	The number of seconds to run this search before finalizing. Specify 0 to never finalize.
namespace	A string that contains the application namespace in which to restrict searches.
now	A time string that sets the absolute time used for any relative time specifier in the search.
preview	Indicates if preview is enabled for this search job. By default, preview is enabled for realtime searches and for searches where status_buckets > 0. Set to false to disable preview.
reduce_freq	The number of seconds (frequency) to run the MapReduce reduce phase on accumulated map values.
reload_macros	A Boolean that indicates whether to reload macro definitions from the macros.conf configuration file.
remote_server_list	A string that contains a comma-separated list of (possibly wildcarded) servers from which to pull raw events. This same server list is used in subsearches.
required_field_list	Deprecated. Use "rf" instead.
rf	A string that adds one or more required fields to the search.
rt_blocking	A Boolean that indicates whether the indexer blocks if the queue for this search is full. For real-time searches.
rt_indexfilter	A Boolean that indicates whether the indexer pre-filters events. For real-time searches.
rt_maxblocksecs	The number of seconds indicating the maximum time to block. 0 means no limit. For real-time searches with "rt_blocking" set to "true".
rt_queue_size	The number indicating the queue size (in events) that the indexer should use for this search. For real-time searches.
search_listener	A string that registers a search state listener with the search. Use the format: `search_state;results_condition;http_method;uri;`
search_mode	An enum value that indicates the search mode ("normal" or "realtime"). If set to "realtime", searches live data. A real-time search is also specified by setting "earliest_time" and "latest_time" properties to "rt", even if the search_mode is normal or is not set.
spawn_process	A Boolean that indicates whether to run the search in a separate spawned process. Searches against indexes must run in a separate process.
status_buckets	The maximum number of status buckets to generate. 0 means to not generate timeline information.
sync_bundle_replication	A Boolean that indicates whether this search should wait for bundle replication to complete.
time_format	A string that specifies the format to use to convert a formatted time string from {start,end}_time into UTC seconds.
timeout	The number of seconds to keep this search after processing has stopped.

Methods

Name	Description
cancel	Cancels the search job.
data	Returns the results model.
finalize	Finalizes the search job.
pause	Pauses the search job.
startSearch	Creates the search job.
unpause	Resumes the search job.

Events

Name	Description
search:cancelled	Fired when the search is cancelled. Changing the properties of the search starts a new one, which may cancel an old search.
search:done	Fired when the search has finished. Note that this event is never fired for a real-time search.
search:error	Fired when an error occurs, such as when the user does not provide a search query, the user does not provide a valid name of a saved search, or when a network failure occurs.
search:failed	Fired when the search job fails.
search:progress	Fired to indicate search progress.
search:start	Fired when the search is successfully started.

Example (Django tag)

{% searchmanager
    id="main-search"
    search="index=_internal sourcetype=* | head 1000 | stats count by sourcetype"
    preview=True
    cache=True %}

{% postprocessmanager
    id="postproc1"
    managerid="main-search"
    search="search sourcetype=splunkd_access OR sourcetype=splunkd" %}

{% postprocessmanager
    id="postproc2"
    managerid="main-search"
    search="search sourcetype=splunk_web_access OR sourcetype=splunk_web_service" %}

Example (JavaScript)

<script>
    var deps = [
        "splunkjs/ready!",
        "splunkjs/mvc/searchmanager",
        "splunkjs/mvc/postprocessmanager"
    ];
    require(deps, function(mvc) {
        var SearchManager = require("splunkjs/mvc/searchmanager");
        var PostProcessManager = require("splunkjs/mvc/postprocessmanager");

        // Create managers
        new SearchManager({
            id: "main-search",
            preview: true,
            cache: true,
            search: "index=_internal sourcetype=* | head 1000 | stats count by sourcetype" 
        });

        new PostProcessManager({
            id: "postproc1",
            managerid: "main-search",
            search: "search sourcetype=splunkd_access OR sourcetype=splunkd" 
        });

        new PostProcessManager({
            id: "postproc2",
            managerid: "main-search",
            search: "search sourcetype=splunk_web_access OR sourcetype=splunk_web_service" 
        });

    });
</script>

Code examples

Example: Drilldown properties using Django tags

Example: Maps using JavaScript in a template

Example: Drilldown properties using JavaScript in a template

PostProcessManager

Description

Documentation

Library path

Properties

Name

Default value

Description

Search properties

Name

Description

Methods

Name

Description

Events

Name

Description

Example (Django tag)

Example (JavaScript)

Code examples