- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anybody try downloading the splunk app from https://splunkbase.splunk.com/app/1855/ , use a custom search query, make it work and share the steps undertaken?
I recently downloaded a sunburst app from https://splunkbase.splunk.com/app/1855/ to integrate it as a sunburst dashboard with my existing splunk app.
The problem : The custom search query is not getting rendered.
The query :
index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath
|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count
I walked through the steps exactly as mentioned below in the apps manual,
and my search query does return the mentioned data format
- Create a clone of this dashboard
- Move the dashboard to your app.
- Copy the autodiscover.js file, sequences_sunburst directory,d3 directory from $SPLUNK_HOME/etc/apps/sequences sunburst/appserver/static to your app's appserver/static directory
- Change the search string between <searchTemplate> tag in the source xml.Your search have to return 2 fields: steps and count
In the steps field separate steps name with a "-" (hyphen)Like this:step1-step2-step3-step4.
- Replace the explanation text in the visualization settings
- Delete this html panel from the source xml
Note * The Default query in the simple xml was <searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>
Even with the default configuration and the xml intact the search does not seem to work not only in the clone but also the app's default example too
The notification/error that displays in the panel is
Sample - webpage visits - No search set.
I validated the inputlookup visit-sequences.csv by
1. Putting it in a lookup folder inside the app's directory structure followed by a splunk search
2. Restarted splunk
3. Building an index over the visit-sequences.csv file and queried it using the index
4. Repeated the above in a fresh app and the queries did work with the desired result sets
I wonder what I am missing in the process?
Looking forward to an immediate assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
replace this line in the example view (make_your_own)
<searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>
with this:
<search id="search1">
<query>|inputlookup visit-sequences.csv</query>
</search>
There are changes in recent Splunk version so you have to specifiy the id in the search definition.
In your xml that will be look like this:
<search id="search1">
<query>index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath
|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
I will update the app to be compatible with recent versions of Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@klapper , very thankful indeed.
I am yet to try this as I'm waiting for license renewal.
Shall look forward to try the updated app as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did not work out.
