Re: Can anybody try downloading the splunk app fro...

Suryadeep · ‎09-27-2015

I recently downloaded a sunburst app from https://splunkbase.splunk.com/app/1855/ to integrate it as a sunburst dashboard with my existing splunk app.

The problem : The custom search query is not getting rendered.

The query :
index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath

|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count

I walked through the steps exactly as mentioned below in the apps manual,
and my search query does return the mentioned data format

Create a clone of this dashboard
Move the dashboard to your app.
Copy the autodiscover.js file, sequences_sunburst directory,d3 directory from $SPLUNK_HOME/etc/apps/sequences sunburst/appserver/static to your app's appserver/static directory
Change the search string between <searchTemplate> tag in the source xml.Your search have to return 2 fields: steps and count In the steps field separate steps name with a "-" (hyphen)Like this:step1-step2-step3-step4.
Replace the explanation text in the visualization settings
Delete this html panel from the source xml

Note * The Default query in the simple xml was <searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>
Even with the default configuration and the xml intact the search does not seem to work not only in the clone but also the app's default example too

The notification/error that displays in the panel is
Sample - webpage visits - No search set.

I validated the inputlookup visit-sequences.csv by
1. Putting it in a lookup folder inside the app's directory structure followed by a splunk search
2. Restarted splunk
3. Building an index over the visit-sequences.csv file and queried it using the index
4. Repeated the above in a fresh app and the queries did work with the desired result sets

I wonder what I am missing in the process?

Looking forward to an immediate assistance.

klapper · ‎09-27-2015

replace this line in the example view (make_your_own)

<searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>

with this:

<search id="search1">
  <query>|inputlookup visit-sequences.csv</query>
</search>

There are changes in recent Splunk version so you have to specifiy the id in the search definition.

In your xml that will be look like this:

   <search id="search1">
      <query>index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath
|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count</query>
      <earliest>-7d@d</earliest>
      <latest>now</latest>
   </search>

I will update the app to be compatible with recent versions of Splunk.

Suryadeep · ‎09-28-2015

@klapper , very thankful indeed.
I am yet to try this as I'm waiting for license renewal.

Shall look forward to try the updated app as well.

Suryadeep · ‎10-05-2015

Did not work out.

Can anybody try downloading the splunk app from https://splunkbase.splunk.com/app/1855/ , use a custom search query, make it work and share the steps undertaken?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation