topic Re: Inline search is not working in a dashboard in Splunk Search

Inline search is not working in a dashboard

edrivera3 — Mon, 28 Sep 2020 19:37:29 GMT

Hi
I had a similar problem last month. I received a solution but now I encountered the same problem but the solution does not apply to it.
Here is my previous question :
http://answers.splunk.com/answers/231397/why-does-my-search-work-in-the-search-app-but-not-1.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

My problem is that the field "test_name" is not showing in the table. If I hit "Open in Search" in the dashboard panel, the whole table is showed correctly.
"index=index_1 AND [search index=index_2 | fields field_1,field2] | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4"

Note: All slash are really backslash (I changed them here for the purpose of showing where the backslash are)

Re: Inline search is not working in a dashboard

edrivera3 — Mon, 28 Sep 2020 19:37:32 GMT

Update: I found that the problem occurred only when the inline search is divided by a search base:
< search id="base_1">
index=index_1 AND [search index=index_2 | fields field_1,field_2]< /query>
< /search>

< panel>
< search base="base_1">
< query> rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4 < /query>
< /search>

If the inline search is entirely in the panel, the table is showed correctly. This is weird because I use that search base to power all my other panels without a problem.

Re: Inline search is not working in a dashboard

NOUMSSI — Sat, 25 Apr 2015 22:19:10 GMT

Hi try with join commande

index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4

Let me know if you have any issue

Re: Inline search is not working in a dashboard

edrivera3 — Mon, 27 Apr 2015 15:16:52 GMT

Ok. I tried this and I found the following:
1. The results take more time to show up with " | join" than If were using "AND"
2. When the table is starting to populate I saw some events that later are not in the table. I hit the "Open in Search" in the dashboard and I saw the same behavior. I checked my data and that event should be in the table.

I am concerned about this strange splunk behavior. First, why my initial search that runs correctly in the dashboard doesn't find any results if it is divided by search base. Why there are some events that appeared in the table when it is been populated and then they disappear.

Re: Inline search is not working in a dashboard

edrivera3 — Mon, 27 Apr 2015 15:33:54 GMT

Maybe the problem is related to this subsearch.
...| eventstats count by field_3 | search count = 1 | table ...

I am trying to show only unique values of field_3. Maybe this is not the proper way.

Re: Inline search is not working in a dashboard

edrivera3 — Mon, 27 Apr 2015 15:41:58 GMT

Yes, that was the problem. I changed it to:
...| dedup field_3 | table

Re: Inline search is not working in a dashboard

NOUMSSI — Tue, 28 Apr 2015 01:03:05 GMT

Ok .please forgive me to have not follow you. I as very busy.
So dedup commande will remove all the duplicates and then sort the results based on the specified sort-by field.
You can also use dc commande which Remove duplicates results with the same host value and return the total count of the remaining results. Fro example: ... | stats dc(host)