Dashboards & Visualizations

Dashboard doesn't reflect result, instead just displays token value passed

rahulkawadkar26
New Member

Hi,

I'm having trouble viewing results of my search query on dashboard panel.
My dashboard panel reflects the result of the value passed through dropdown, instead of showing result.

<form>
  <label>Builds Running in TeamCity and Jenkins</label>
  <description>Identify Jobs running in Team City and Jenkins that do not have authorization in MFT File</description>
  <search id="baseS">
    <query>
    <![CDATA[query]]>
  </query>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tknhost" searchWhenChanged="true">
      <label>Select Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search base="baseS">
      <query> fields * | stats count by host </query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Test Panel</title>
      <single>
        <search base="baseS">
          <query>| search host=$tknhost|s$ | table host, vcsRoot, ORG, suspicious </query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
</row>
</form>

I expect my 'Test Panel' to show result in a table of 4 columns, however, it just shows me a single value that is passed in $tknhost$

I needed few insights as to why this could be happening?

I did some searching on web, and i included most of the suggestions in my form, such as including fields in my search so that it is picked in smart mode, which apparently is default search mode for dashboards.
Also, I can see the result not being reflected in smart search, but gets reflected in verbose mode only. However, when I inspect my panel it gives me message like:
This search has completed and has returned 445 results by scanning 778,734 events in 109.715 seconds
The following messages were returned by the search subsystem:
info : [subsearch]: Search auto-finalized after time limit (60 seconds) reached.

If it did returned results why was it not reflected on dashboard panel? I feel very confused from all the trouble-shooting and unable to reach to any conclusion. Any suggestions to achieve this objective are welcome.

PS: Or Could it be that I have a poorly written base query?

Query:

 (index=teamcity source="ORGINVENTORY") OR (index=jenkins source="ORGINVENTORY")
  | rex field=_raw "(?ms)^(?:[^;\n]*;){6}(?P<ORGANIZATIONINVENTORY >[^;]+)" offset_field=_extracted_fields_bounds
  | dedup ORGANIZATIONINVENTORY 
  | append [ search (index=* OR index=_) index=teamcity sourcetype="teamcity:vcs" jetbrains.buildServer.VCS 
  | rex field=_raw "(?ms)^(?:[^\"\\n]\"){3}(?P<vcsRoot>[^\"]+)" offset_field=_extracted_fields_bounds 
  | search vcsRoot=*git* 
  | dedup vcsRoot 
  | eval connectionType = case(like(vcsRoot, "git@%"),"ssh", like(vcsRoot, "http%"),"https") 
  | eval customSSH=case(connectionType=="ssh",'vcsRoot') ,customHTTP=case(connectionType=="https",'vcsRoot')
  | makemv delim="/" customHTTP 
  | makemv delim=":" customSSH 
  | eval customSSH=mvindex(customSSH,1) 
  | makemv delim="/" customSSH 
  | eval ORG=case(connectionType=="https",mvindex(customHTTP,2),connectionType=="ssh",mvindex(customSSH,0))
  | dedup ORG
  ] 
  | eventstats values(ORGANIZATIONINVENTORY) as ORGANIZATIONINVENTORY
  | search ORG=*
  | eval suspicious = if(ORG=ORGANIZATIONINVENTORY, "No", "Yes")
  | table ORG, ORGANIZATIONINVENTORY , suspicious
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@rahulkawadkar26,

You are using a single value visualization. You should use a table to see all the fields 🙂

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@rahulkawadkar26,

You are using a single value visualization. You should use a table to see all the fields 🙂

Happy Splunking!
0 Karma

rahulkawadkar26
New Member

I feel stupid. 😞
You are right. In my defense, I started using Splunk just two weeks back.
I'm still trying to get to know it's functionalities better.

Thank You for getting back to me.

0 Karma

rahulkawadkar26
New Member

Btw, how did you get to know I was using single value viz.?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@rahulkawadkar26, from your XML 😉

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...