I have a search that works against a key value pair in Connect Direct logs. Initially I had the report set up to do post-process re-naming of the SNOD value to the human readable name. Yesterday I added a lookup table and ran the search multiple times with the expected results, i.e., the lookup worked.
I replaced the search in the Dashboard panel with the new search and was told "zero results." I ran the inspector and it stated:
This search has completed and found 2,764 matching events. However, the transforming commands in the highlighted portion of the following search:
search sourcetype=connectdirect host = napa-v120 ( RECI=CTRC ) | transaction keepevicted=true PNUM RECI STAR STOP | eval VOLUME=(SBYX/1048576) | search VOLUME>0 | timechart span=30m sum(VOLUME) by Account useother=f usenull=f | rename NAPA_CD_V120 as "Inbound"
(bold to show what was highlighted).
If I just run the search, everything works. I can change date/time ranges, etc., with no problems. Why is the display as a dashboard not working?
I have removed the "rename ..." to no effect.
If I go back to "timechart span=30m sum(VOLUME) by SNOD ..." and then do post process renames it works though.
Okay. I'm a klutz.
The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.
My bad.
Okay. I'm a klutz.
The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.
My bad.