All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Making a new app, why do I get no search results when I run a search with join and a subsearch?

_dave_b
Communicator
‎12-15-2015 01:56 PM

I am trying to make a new App to see if I can get dashboard visualizations to work by duplicating the conditions they work under in the Splunk 6.x Dashboard Examples app, but I am not getting any results back from my search when I do a join & subsearch. This is strange, because the same search returns results in the Search app. Are there any common causes for things like this to happen? Was there a special step I was supposed to take in making my app?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-15-2015 02:31 PM

You would benefit if you read up on knowledge objects and application development first.

It sounds like you have "search time field extraction" in a props.conf and/or transforms.conf in your search app that does not exist in your new app. You may be extracting a field called foo in your search app's props.conf... and then writing the search using the field called foo in your search app... and then finding the field doesnt exist in your new app because your new app doesnt have the same props.conf, etc.

Start here: http://docs.splunk.com/Documentation/Splunk/6.1/admin/Wheretofindtheconfigurationfiles

http://docs.splunk.com/Documentation/Splunk/6.3.1/admin/Propsconf <-search & index time field extractions

http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Transformsconf <-search & ???index??? (dont quote me) time field extractions

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract... <-search time field extractions howto

Another explanation is that you dont have permissions on the extractions that exist in the newly developed app, in which case you should review local & default meta configs:

http://docs.splunk.com/Documentation/Splunk/6.3.1/admin/Defaultmetaconf

View solution in original post

Reply
Solved! Jump to solution

sundareshr
Legend
‎12-15-2015 10:04 PM

subsearches have limitations, run duration as well as max records. Look at the events returned in the job activity list. That should give you some clues.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎12-15-2015 02:54 PM

Hello. Please let see the search query you are using.

SGF
0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-15-2015 02:31 PM

You would benefit if you read up on knowledge objects and application development first.

It sounds like you have "search time field extraction" in a props.conf and/or transforms.conf in your search app that does not exist in your new app. You may be extracting a field called foo in your search app's props.conf... and then writing the search using the field called foo in your search app... and then finding the field doesnt exist in your new app because your new app doesnt have the same props.conf, etc.

Start here: http://docs.splunk.com/Documentation/Splunk/6.1/admin/Wheretofindtheconfigurationfiles

http://docs.splunk.com/Documentation/Splunk/6.3.1/admin/Propsconf <-search & index time field extractions

http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Transformsconf <-search & ???index??? (dont quote me) time field extractions

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract... <-search time field extractions howto

Another explanation is that you dont have permissions on the extractions that exist in the newly developed app, in which case you should review local & default meta configs:

http://docs.splunk.com/Documentation/Splunk/6.3.1/admin/Defaultmetaconf

Reply
Solved! Jump to solution

_dave_b
Communicator
‎12-16-2015 11:21 AM

Thanks! So I could get something working quickly, I decided to modify the example dashboard in the simple-xml examples app. I ran into the same problem, where the joined subsearch brought back some results, but only when searching for certain values, but not the one I'm interested in. After reviewing the local config files props.conf and comparing it against my working copy in the Search app, I noticed the its props.conf file didn't contain a line for the extraction of the field (a device ID) that I was using to join the subsearch to the main search.

I could see all the fields were being extracted in the main search, so I assumed they would also be extracted for the subsearch as well, and there would be no need to define my extractions and fields all over again. But I did, and now the subsearch works, so it looks like it made all the difference between a functioning and non-functioning search.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 12:17 PM

Thanks for accepting the answer. Im glad you found your needle in the haystack.

YOu might be interested in this command:

./splunk cmd btool props list --debug

also

./splunk cmd btool [configFileName] list --debug

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-15-2015 02:37 PM

You might also be interested in seeing extractions, transformations and such in your GUI.

http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Managefieldtransforms

settings -> fields -> .... many options to know and choose ...

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...