Monitoring Splunk

What is the reason of my error?

qfjp
Explorer

<module name="AccountBar" layoutPanel="appHeader"/> 
<module name="AppBar" layoutPanel="navigationHeader"/>

<module name="SearchSelectLister" layoutPanel="panel_row1_col2" group="SourceType Setting">
    <param name="label">which index</param>
    <param name="settingToCreate">index_setting</param>
    <param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
    <param name="searchWhenChanged">True</param>
    <param name="selected">main</param>
    <param name="searchFieldsToDisplay">
        <list>
            <param name="label">index</param>
            <param name="value">index</param>
        </list></param>

    <module name="ConvertToIntention">
        <param name="settingToConvert">index_setting</param>
        <param name="intention">
            <param name="name">stringreplace</param>
            <param name="arg">
                <param name="index">
                    <param name="fillOnEmpty">True</param>
                    <param name="prefix">index=</param>
                    <param name="value">$target$</param></param></param></param>

        <module name="SearchSelectLister">
            <param name="label">Sourcetype</param>
            <param name="settingToCreate">sourcetype_setting</param>
            <param name="search">| metadata type="sourcetypes" $index$</param>
            <param name="applyOuterIntentionsToInternalSearch">True</param>
            <param name="searchFieldsToDisplay">
                <list>
                    <param name="label">sourcetype</param>
                    <param name="value">sourcetype</param>
                </list>
            </param>

            <module name="ConvertToIntention">
                <param name="settingToConvert">sourcetype_setting</param>
                <param name="intention">
                    <param name="name">stringreplace</param>
                    <param name="arg">
                        <param name="sourcetype">
                            <param name="fillOnEmpty">True</param>
                            <param name="prefix">sourcetype=</param>
                            <param name="value">$target$</param></param></param></param>

                <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Time Setting">
                    <param name="searchWhenChanged">True</param>
                    <param name="selected">All time</param>

                    <module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Time Search">
                        <param name="search">$index$ $sourcetype$</param>

                        <module name="Paginator" layoutPanel="panel_row2_col1">
                            <param name="entityName">auto</param>
                            <param name="maxPages">10</param>

                            <module name="SimpleResultsTable" layoutPanel="panel_row2_col1" auotRun="True">
                                <param name="drilldown">row</param>
                                <param name="fields">
                                    date | time | host | src | src_port | dst | dst_port | msg</param>
                            </module>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

Well it's difficult to know what's causing the specific error message you're seeing, but there are a couple problems visible in this view.

1) When you use the fields param in SimpleResultsTable the fields can either be space separated or comma separated, but they cannot be pipe-separated like that. That is causing none of those fields to get returned.
Moreover, it's easier to not use the fields param at all and just use the fields or table command in the search language. By default the SimpleResultsTable module will just render all the fields it's given (except for field names that begin with "_" characters).

2) You have an extra autoRun="True" that might be causing some bad behavior, except that it's mispelled as auotRun="True" which makes it harmless. Just remove that - it wasn't necessary and it was't doing anything anyway.

3) drilldown was enabled on the SimpleResultsTable but it doesn't actually have any downstream modules so this would make the table interactive, except that clicking the table row wouldn't actually do anything beyond giving it a different background color.

I've taken the liberty of rewriting and cleaning up your XML as I went through, so here's the fixed version.

<module name="AccountBar" layoutPanel="appHeader"/> 
<module name="AppBar" layoutPanel="navigationHeader"/>

<module name="SearchSelectLister" layoutPanel="panel_row1_col2" group="SourceType Setting">
  <param name="label">which index</param>
  <param name="settingToCreate">index_setting</param>
  <param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
  <param name="searchWhenChanged">True</param>
  <param name="selected">main</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">index</param>
      <param name="value">index</param>
    </list>
  </param>

  <module name="ConvertToIntention">
    <param name="settingToConvert">index_setting</param>
    <param name="intention">
      <param name="name">stringreplace</param>
      <param name="arg">
        <param name="index">
          <param name="fillOnEmpty">True</param>
          <param name="prefix">index=</param>
          <param name="value">$target$</param>
        </param>
      </param>
    </param>

    <module name="SearchSelectLister">
      <param name="label">Sourcetype</param>
      <param name="settingToCreate">sourcetype_setting</param>
      <param name="search">| metadata type="sourcetypes" $index$</param>
      <param name="applyOuterIntentionsToInternalSearch">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">sourcetype</param>
          <param name="value">sourcetype</param>
        </list>
      </param>

      <module name="ConvertToIntention">
        <param name="settingToConvert">sourcetype_setting</param>
        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
            <param name="sourcetype">
              <param name="fillOnEmpty">True</param>
              <param name="prefix">sourcetype=</param>
              <param name="value">$target$</param>
            </param>
          </param>
        </param>

        <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Time Setting">
          <param name="searchWhenChanged">True</param>
          <param name="selected">All time</param>

          <module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Time Search">
            <param name="search">$index$ $sourcetype$ | table date time host src src_port dst dst_port msg</param>

            <module name="Paginator">
              <param name="entityName">auto</param>
              <param name="maxPages">10</param>

              <module name="SimpleResultsTable">
                <param name="drilldown">row</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

And just as a point of interest here's a converted copy of the view, converted to use Sideview modules from Sideview Utils instead. As you should be able to see, simple views like this get a lot easier to read and to deal with.

<module name="AccountBar" layoutPanel="appHeader"/> 
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader" />


<module name="Search" layoutPanel="panel_row1_col2" group="SourceType Setting" autoRun="True">
  <param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>

  <module name="ValueSetter">
    <param name="name">index</param>
    <param name="value">main</param>

    <module name="Pulldown">
      <param name="name">index</param>
      <param name="valueField">$name$</param>
      <param name="label">Index</param>
      <param name="template">$name$="$value$"</param>

      <module name="Search">
        <param name="search">| metadata type="sourcetypes" $index$</param>

        <module name="Pulldown">
          <param name="name">sourcetype</param>
          <param name="valueField">$name$</param>
          <param name="label">Sourcetype</param>
          <param name="template">$name$="$value$"</param>

          <module name="TimeRangePicker" layoutPanel="panel_row1_col1" group="Time Setting">
            <param name="searchWhenChanged">True</param>
            <param name="selected">All time</param>

            <module name="Search" layoutPanel="panel_row2_col1" group="Time Search">
              <param name="search">$index$ $sourcetype$ | table date time host src src_port dst dst_port msg</param>

              <module name="Pager">

                <module name="Table"></module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

To help the community answer your question efficiently, can you update your question so as to add the actual error message that you are seeing?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...