Solved: Dashboard shows no Results but Search works . .

tyronetv · ‎10-22-2013

I have a search that works against a key value pair in Connect Direct logs. Initially I had the report set up to do post-process re-naming of the SNOD value to the human readable name. Yesterday I added a lookup table and ran the search multiple times with the expected results, i.e., the lookup worked.

I replaced the search in the Dashboard panel with the new search and was told "zero results." I ran the inspector and it stated:

This search has completed and found 2,764 matching events. However, the transforming commands in the highlighted portion of the following search:

search sourcetype=connectdirect host = napa-v120 ( RECI=CTRC ) | transaction keepevicted=true PNUM RECI STAR STOP | eval VOLUME=(SBYX/1048576) | search VOLUME>0 | timechart span=30m sum(VOLUME) by Account useother=f usenull=f | rename NAPA_CD_V120 as "Inbound"

(bold to show what was highlighted).

If I just run the search, everything works. I can change date/time ranges, etc., with no problems. Why is the display as a dashboard not working?

I have removed the "rename ..." to no effect.

If I go back to "timechart span=30m sum(VOLUME) by SNOD ..." and then do post process renames it works though.

tyronetv · ‎10-22-2013

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

View solution in original post

tyronetv · ‎10-22-2013

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

Dashboard shows no Results but Search works . .

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor