Archive

[RESOLVED] Search works manually but not in dashboard

Communicator

[RESOLVED]: See notes below.


Below is a search I am using in a dashboard in a HiddenSearch module:

search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent

The dashboard shows "No results found."

When I hit "Inspect", I get a message like this:

This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:

the search string shown above with everything after the first | highlited.

over the time range:

[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]

generated no results.

But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.

Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.

Communicator

[Resolved] This little issue wasted a few hours of mine!

I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.

Builder

Might be a issue with special characters or maybe something with the spaces in the eval. Try this...

<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>

0 Karma

Communicator

After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.

0 Karma

Communicator

Yes, I'm using advanced XML.

Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:

  <param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
    | top asa_srcip, asa_dstip, asa_dstport
    | eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
    | fields Connection, count, percent
  </param>

I did change the "eval" line. But that was not the problem.

0 Karma

SplunkTrust
SplunkTrust

Try removing "search" command from your search [start directly with index-....]

0 Karma

Builder

are you using advanced xml?

0 Karma