Archive

[RESOLVED] Search works manually but not in dashboard

Communicator

[RESOLVED]: See notes below.


Below is a search I am using in a dashboard in a HiddenSearch module:

search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent

The dashboard shows "No results found."

When I hit "Inspect", I get a message like this:

This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:

the search string shown above with everything after the first | highlited.

over the time range:

[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]

generated no results.

But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.

Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.

Communicator

[Resolved] This little issue wasted a few hours of mine!

I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.

Builder

Might be a issue with special characters or maybe something with the spaces in the eval. Try this...

<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>

0 Karma

Communicator

After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.

0 Karma

Communicator

Yes, I'm using advanced XML.

Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:

  <param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
    | top asa_srcip, asa_dstip, asa_dstport
    | eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
    | fields Connection, count, percent
  </param>

I did change the "eval" line. But that was not the problem.

0 Karma

Revered Legend

Try removing "search" command from your search [start directly with index-....]

0 Karma

Builder

are you using advanced xml?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!