Why does this search not work in a dashboard panel...

lycollicott · ‎02-25-2017

I built an app for a new group of users and I used the Welcome Page Creator app to create its home page. It is a very simple page that has the example panels from Welcome Page Creator plus one custom panel to show the users what indexes they can search. On my development node it looks like this:

That is exactly the way I want it, but when I deploy it to my search head cluster (SHC) it looks like this:

The errors say:

[subsearch]: No matching fields exist
Field 'srchIndexesAllowed' does not exist in the data.

When I run the query from Search on my SHC it works perfectly, but always throws those two errors in the pane.

Here is thepanel's XML:

 <panel>
      <title>Indexes You Can Search</title>
      <table>
        <search>
          <query>| rest /services/authentication/current-context | search NOT username="splunk-system-user" | fields roles
| table roles 
| mvexpand roles 
| join type=left roles 
    [ rest /services/authorization/roles 
    | table title srchIndexesAllowed 
    | rename title as roles] 
| makemv srchIndexesAllowed tokenizer=(\S+) 
| fillnull value=" " 
| mvexpand srchIndexesAllowed 
| join type=left max=999 srchIndexesAllowed 
    [ rest /services/data/indexes splunk_server=*indexer01
    | table title 
    | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") 
    | rename title as IndexesAllowed] 
| stats values(*) as * by roles 
| fields - Indexes*
| rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"</query>
        </search>
      </table>
</panel>

lycollicott · ‎03-09-2017

@sloshburch, go ahead. (Send me Karma LOL)

I also put a row at the top of the dashboard with this:

<dashboard>
  <label>Welcome</label>
  <search>
    <query>| rest /services/authentication/current-context | search NOT username="splunk-system-user" | fields username, realname</query>
    <finalized>
      <set token="Xusername">$result.username$</set>
      <set token="Xrealname">$result.realname$</set>
    </finalized>
  </search>
  <row>
    <panel>
      <html>
    <style>
      .welcome-header {
        padding: 10px;
        margin-left: auto;
        margin-right: auto;
        min-height: 150px;
        background: #2d3750 50% 50% no-repeat url('/static/app/ss_devops/img-devops-share-small.jpg');
        color: #ffffff;
      }
    </style>
        <div class="welcome-header">
          <p>
            <h1>Splunk at My Company!</h1>
            <h2>$Xrealname$ ($Xusername$)</h2>
          </p>
        </div>  
      </html>
    </panel>
  </row>

sloshburch · ‎03-10-2017

Hang on to your keyboard but if you're using recent versions of Splunk you can avoid all that complexity and simply do:

<h2>$env:user_realname$ ($env:user$)</h2>

Reference: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Use_global_tokens_to_access_environmen...

lycollicott · ‎03-10-2017

I was hanging on to my keyboard, but it's wireless, so when I fell over it just went with me.
Boom. Global. Tokens.

sloshburch · ‎03-09-2017

This is brilliant! Would you be cool with me adding it (or a similar panel) to the Welcome Page Creator? I'd give you credit, of course.

lycollicott · ‎03-13-2017

Dude, where's my credit in version 2.5? LOL

sloshburch · ‎03-13-2017

Your panel isn't in 2.5. It's in the code for the next release. 2.5 came out before we had this conversation.

lycollicott · ‎03-13-2017

LOL, just hassling ya bud.

martin_mueller · ‎02-25-2017

I'd first clean up the search:

current-context is never going to return splunk-system-user in a dashboard
fields | table is redundant
the second join is made useless by the following fields

As for the actual question, I'm guessing your development environment is a standalone splunk while your production environment uses distributed search? If so, add splunk_server=local to the rest commands that should query the search head.

martin_mueller · ‎02-26-2017

That search works for me in a dashboard:

<dashboard>
  <row>
    <panel>
      <table>
        <search>
          <query>| rest /services/authentication/current-context splunk_server=local | fields roles
  | mvexpand roles 
  | join type=left roles 
      [ rest /services/authorization/roles splunk_server=local
      | table title srchIndexesAllowed 
      | rename title as roles] 
  | makemv srchIndexesAllowed tokenizer=(\S+) 
  | fillnull value=" " 
  | mvexpand srchIndexesAllowed 
  | stats values(*) as * by roles 
  | rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"</query>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

lycollicott · ‎02-26-2017

That is also my panel. I'm at a loss.

naidusadanala · ‎03-13-2017

The search is working fine.

sloshburch · ‎03-09-2017

I'm on 6.5.2 in my SHC and it works in both search and panel form. I also don't see any strange characters that would need to be escaped that could be causing an issue. What version are you on and is it the same as your development node?

martin_mueller · ‎02-26-2017

Use local with both current-context and roles - else you're querying all search peers which might have entirely different roles. The users endpoint shouldn't be necessary.

lycollicott · ‎02-26-2017

So I have this which works perfect in search, but from the panel still says that " Field 'srchIndexesAllowed' does not exist in the data."

| rest /services/authentication/current-context splunk_server=local | fields roles
 | mvexpand roles 
 | join type=left roles 
     [ rest /services/authorization/roles splunk_server=local
     | table title srchIndexesAllowed 
     | rename title as roles] 
 | makemv srchIndexesAllowed tokenizer=(\S+) 
 | fillnull value=" " 
 | mvexpand srchIndexesAllowed 
 | stats values(*) as * by roles 
 | rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"

lycollicott · ‎02-26-2017

Yes, my dev system is standalone.

Do you mean I should use splunk_server=local with current-context or users on the SH? I am assuming current-context, because users returns every role on the search head and not just mine (when I test it should only return my admin role)

LOL the second join - crap. I was editing a copy from https://answers.splunk.com/answers/260126/how-can-i-search-a-list-of-users-with-all-the-role.html and I missed that fields.

This revision works in Search on the search heads:

| rest /services/authentication/current-context | fields roles
 | mvexpand roles 
 | join type=left roles 
     [ rest /services/authorization/roles 
     | table title srchIndexesAllowed 
     | rename title as roles] 
 | makemv srchIndexesAllowed tokenizer=(\S+) 
 | fillnull value=" " 
 | mvexpand srchIndexesAllowed 
 | stats values(*) as * by roles 
 | rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"

It returns:

Your Roles      
Indexes You Can Search  
admin   
*
_*
splunk-system-role

Why does this search not work in a dashboard panel?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor