All Apps and Add-ons

Problem with Search - No matching fields exist

nikhilmehra79
Path Finder

Hi,

I have been working on advanced xml and have written some search logic which looks in two CSV files and run search query and bring two different results. It used to work until something happened which messed up one of my result. So i am reading two csv files, here is my Src Input.conf at Universal Forwarder:

[monitor://D:\Availablity_Analytics\Analytics1.csv]
sourcetype = csv-2

[monitor://D:\\Availablity_Analytics\Analytics2.csv]
sourcetype = csv-3

Both files have content different but i still classified them as different source types

Here is my props.conf at same Universal Forwarder (C:\Program Files\SplunkForwarder\etc\apps\learned\local)

[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

On Indexer/Search Head i have same props.conf entry at D:\Splunk\etc\apps\learned\local
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

Now i see indexer summary screen shows two Sources (CSV files) with 2 Summary Fields files and i also see two Source Types. I simply run a search query on second CSV file

source="D:\\Availablity_Analytics\\Analytics2.csv" | rex field=_raw "(?<Date>.*),(?<Poll_Duration>.*),(?<Latency_msec>.*)" | search Poll_Duration>0 | table Date Latency_msec | stats avg(Latency_msec) | rangemap field=avg(Latency_msec) low_small=0-200 medium_small=201-500 default=severe_small

This gives a nice output (the way i want it at Splunk Search)

But interestingly (which used to work earlier) when i run the search from my Advanced XML - then the same search is coming back with "No matching fields exist" - my advanced XML looks like:

        <!-- Avail Site -->
<module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Avail Last 24 Hours" autoRun="True">
        <param name="search">((source="source="D:\\Availablity_Analytics\\Analytics1.csv") AND (SH)) | rex field=_raw "(?&lt;Hostname&gt;.*),(?&lt;Value&gt;.*)" | chart avg(Value) | stats max | rangemap field=max low=99-100 default=severe</param>
        <param name="earliest">-24h</param>
        <param name="latest">-1m</param>
        <module name="SingleValue">          
            <option name="field">max</option>
            <option name="classField">range</option>            
            <param name="beforeLabel">AVAILABLITY</param>
            <param name="afterLabel">%</param>
            <param name="linkFields">result</param>
            <param name="linkSearch">((source="source="D:\\Availablity_Analytics\\Analytics1.csv") AND (SH)) AND (SH)) | rex field=_raw "(?&lt;Hostname&gt;.*),(?&lt;Value&gt;.*)" | stats avg(Value) by Hostname</param>
            <param name="linkView">Template_Table</param>
        </module>               
    </module>


        <!-- Latency Site -->
    <module name="HiddenSearch" layoutPanel="panel_row3_col2" group="Latency Last 24 Hours" autoRun="True">
        <param name="search">((source="source="D:\\Availablity_Analytics\\Analytics2.csv") AND (SH)) | rex field=_raw "(?&lt;Date&gt;.*),(?&lt;Poll_Duration&gt;.*),(?&lt;Latency_msec&gt;.*)" | search Poll_Duration>0 | table Date Latency_msec | stats avg(Latency_msec) | rangemap field=avg(Latency_msec) low_small=0-200 medium_small=201-500 default=severe_small</param>
        <param name="earliest">-24h</param>
        <param name="latest">-1m</param>
        <module name="SingleValue">
            <option name="field">max</option>
            <option name="classField">range</option>                        
            <param name="afterLabel">msec</param>
            <param name="linkFields">result,afterLabel</param>          
        </module>               
    </module>

First Module (Avail Site ) shows up Avilablity at Dashboard but Second Panel (Latency) Single Value is showing value N/A and at top of dashboard i see "No matching fields exist" in a blue bar. This same search as shown above works fine when you take the search and put in search bar. I have deleted csv indexed data from both CSV files (by .. | delete) multiple times, i have reinstalled Splunk indexer and Search head (test machine) , i have split the source type (as shown above) but still problem is there: any helpful will be greatly appreciated as i am running out of options here. I am running v 5.0.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

<!-- Avail Site -->
<module name="HiddenSearch" layoutpanel="panel_row3_col1" group="Avail Last 24 Hours" autorun="True">
  <param name="search">
    <![CDATA[
    source="D:\Availablity_Analytics\Analytics1.csv" SH | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | chart avg(Value) | stats max | rangemap field=max low=99-100 default=severe
      ]]>
  </param>
  <param name="earliest">-24h</param>
  <param name="latest">-1m</param>
  <module name="SingleValue">
    <option name="field">max</option>
    <option name="classField">range</option>
    <param name="beforeLabel">AVAILABLITY</param>
    <param name="afterLabel">%</param>
    <param name="linkFields">result</param>
    <param name="linkSearch">
      <![CDATA[
      source="D:\Availablity_Analytics\Analytics1.csv" SH | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | stats avg(Value) by Hostname
        ]]>
    </param>
    <param name="linkView">Template_Table</param>
  </module>
</module>
0 Karma

nikhilmehra79
Path Finder

Still same response " No matching fields exist"

0 Karma

nikhilmehra79
Path Finder

and actuall it was the second layout panel Latency which was the issue (first one Avail is just fine)

0 Karma

nikhilmehra79
Path Finder

Are you saying append and close the search string with
"![CDATA[" and "]]" - what does it do? i will try now.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...