- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: [RESOLVED] Search works manually but not in da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[RESOLVED] Search works manually but not in dashboard
[RESOLVED]: See notes below.
Below is a search I am using in a dashboard in a HiddenSearch module:
search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent
The dashboard shows "No results found."
When I hit "Inspect", I get a message like this:
This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:
the search string shown above with everything after the first | highlited.
over the time range:
[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]
generated no results.
But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.
Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Resolved] This little issue wasted a few hours of mine!
I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might be a issue with special characters or maybe something with the spaces in the eval. Try this...
<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I'm using advanced XML.
Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:
<param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
| fields Connection, count, percent
</param>
I did change the "eval" line. But that was not the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try removing "search" command from your search [start directly with index-....]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you using advanced xml?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
