Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola — Mon, 28 Sep 2020 18:03:44 GMT

I am trying to build dashboards for common searches to minimize what operations needs to learn, but I am having an issue. I was able to get the searches working as expected, but the results are not parsing in the dashboard as expected. When viewing this data following a search everything parses as expected, but when using the same search in a Dashboard the data is not parse properly. In the dashboard I only get host, source, sourcetype, index, linecount, and splunk_server. All of these fields are in my search, plus all the fields defined in the transforms.conf.

Sample Data
email@email.com,2014-10-31T03:59:47+00:00,10.0.0.1,read,1363::14::1703::658352::0::0

props.conf
[dyn_bounce_record]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = dyn_bounce

transforms.conf
[dyn_bounce]
FIELDS = "EmailAddress","Bounce_Type","Bounce_Rule","Bounce_Code","Timestamp","X-MailingID"
DELIMS = ","

XML Source from Dashboard

<form>
  <label>Dyn Email Reports</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="dtPicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="ddSourceType" searchWhenChanged="true">
      <label>Source Type</label>
      <choice value="dyn_bounce_record">Bounces</choice>
      <choice value="dyn_sent_record">Sent</choice>
      <choice value="dyn_complaint_record">Complaints</choice>
      <choice value="dyn_open_record">Opens</choice>
      <choice value="dyn_delivered_record">Delivered</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="txtEmail" searchWhenChanged="true">
      <label>Email Address</label>
      <default>*</default>
      <seed>*</seed>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dyn Reporting</title>
      <event>
        <search>
          <query>index=dyn sourcetype=$ddSourceType$ $txtEmail$</query>
          <earliest>$dtPicker.earliest$</earliest>
          <latest>$dtPicker.latest$</latest>
        </search>
        <option name="count">25</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

I am running Splunk Enterprise 6.2 on Windows Server 2008 R2 x64

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

nfilippi_splunk — Fri, 31 Oct 2014 21:44:17 GMT

Can you share your xml?

Also note that dashboards run searches in fast mode by default. So if you want/need specific fields to be parsed and available (in a post process for example), you will need to add the fields command to your base search with the fields you want.

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

Raghav2384 — Mon, 28 Sep 2020 18:03:55 GMT

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola — Sat, 01 Nov 2014 19:52:07 GMT

Thanks, this worked just as expected.

topic Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar? in Splunk Search

Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

Re: Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?