All Apps and Add-ons

Why did search did not return any events?

mwestley
Loves-to-Learn

I'm working on a dashboard that is not returning any results but can find events upon clicking the "Open in Search" link.  Why is it not showing results on the dashboard view?Screenshot 2021-03-19 094615.jpg

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your dashboard source code in a code block </>

0 Karma

ajones
Explorer
<form theme="dark">
  <label>[REDACTED]</label>
  <fieldset submitButton="false">
    <input type="time" token="timerange" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-2w@w</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>[REDACTED]</title>
      <event>
        <title>[REDACTED]</title>
        <search>
          <query>| inputlookup [REDACTED].csv | bucket _time span=1week | addinfo | eval WeekA=strftime(info_min_time, "%V") | eval WeekB=strftime(info_max_time, "%V") | where [REDACTED] == [REDACTED] AND refwoy &gt;= WeekA AND refwoy &lt; WeekB | eval f_time=strftime(refdate, "%Y-%m-%d") | xyseries [REDACTED] f_time count | foreach * [| eval total=if(isnull(total),0,total) | eval total=total+1| eval DIFF=if(total=1, -1* '&lt;&lt;FIELD&gt;&gt;', DIFF + '&lt;&lt;FIELD&gt;&gt;')] | eval temp=split(DIFF,"http") | eval Difference=mvindex(temp,0) | fields - total, temp, DIFF</query>
          <earliest>$timerange.earliest$</earliest>
          <latest>$timerange.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
    <panel>
      <title>[REDACTED]</title>
      <event>
        <title>[REDACTED]</title>
        <search>
          <query>| inputlookup [REDACTED].csv | bucket _time span=1week | addinfo | eval WeekA=strftime(info_min_time, "%V") | eval WeekB=strftime(info_max_time, "%V") | where [REDACTED] == [REDACTED] AND refwoy &gt;= WeekA AND refwoy &lt; WeekB | eval f_time=strftime(refdate, "%Y-%m-%d") | xyseries [REDACTED] f_time count | foreach * [| eval total=if(isnull(total),0,total) | eval total=total+1| eval DIFF=if(total=1, -1* '&lt;&lt;FIELD&gt;&gt;', DIFF + '&lt;&lt;FIELD&gt;&gt;')] | eval temp=split(DIFF,"http") | eval Difference=mvindex(temp,0) | fields - total, temp, DIFF</query>
          <earliest>$timerange.earliest$</earliest>
          <latest>$timerange.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>
0 Karma

ajones
Explorer

@ITWhisperer 

I am very sorry and figured out what my issue was, the panel appeared to have switched to events instead of a statistics table! Thanks for reaching out to help!

ITWhisperer
SplunkTrust
SplunkTrust

No worries @ajones - you were hijacking @mwestley post anyway. Glad you got your issue sorted out though.

0 Karma

ajones
Explorer

Has this problem been figured out yet? I am having the same issue now and am unable to figure out what is going on. Thank you!

0 Karma

Vardhan
Contributor

Hi @mwestley ,

The search is returning results when your time range is selected as All time.  So Add a time range filter in the dashboard and check for the results.

0 Karma

mwestley
Loves-to-Learn

I was hopeful trying your suggestion but after adding the time range picker still am getting no results.  😞  I am curious though on the Search results page where it shows statistics of 64 but events is zero.  Why is that?Screenshot 2021-03-22 102818.jpg

0 Karma

Vardhan
Contributor

Hi @mwestley ,

 

can you select the time range as the Previous year and check for the result?

Vardhan_0-1616433518874.png

And also after creating a time range input did you applied the time range on the search?

Vardhan_0-1616433737471.png

Vardhan_1-1616433788874.png

 

0 Karma

mwestley
Loves-to-Learn

mwestley_0-1616427476768.png

 

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...