Dashboards & Visualizations

HiddenSearch not returning results for PostProcess and display Modules

proctorgeorge
Path Finder

Hello All,

EDIT: Using version 4.1.5

I am working on a view that gives SingleValue "pillboxes" for core servers in our deployment that will show status which right now is just based on ping. I am using a HiddenSearch to optimize grabbing all the pings and then HiddenPostProcess for each pillbox which relates to a different IP address.

I have been trying, and failing, to get the SingleValues to show anything besides N/A. For testing purposes I threw in a SimpleResultsTable to make sure that the HiddenSearch was creating the right data set for the PostProcess. For some reason it was not showing anything either, just "No results found. More info...". Clicking the "More info" link brings up the job inspector and points to the problem being the second half (after the pipe) of this search not returning any results.

search index=ping sourcetype=ping  | stats  count(eval(Lost=1)) AS LOST, count(eval(Lost=0)) AS NOTLOST by pingtarget

I can copy the search into the search app and it does return results so I am wondering if I am missing anything or why a valid search is not returning anything?

Here is the extract from my view xml:

    <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="true">   
         <param name="search">index=ping sourcetype=ping | stats count(eval(Lost=1)) AS LOST, count(eval(Lost=0)) AS NOTLOST by pingtarget</param>
         <param name="earliest">-15m@m</param>
         <param name="latest">-0s@m</param>

         <module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1">
            <param name="search"> search pingtarget=192.168.14.228 | stats max(LOST) | rangemap field=max(LOST) low=0-0 elevated=1-1 severe=2-100000 default=low</param>
               <module name="SingleValue">
                 <param name="field">max(LOST)</param>
                 <param name="classField">range</param>
               </module>
               <module name="SimpleResultsTable">
                 <param name="fields">max(LOST)</param>
               </module>
         </module>
      </module>

Any Ideas on what I am missing or why my HiddenSearch is not passing the correct data on to the other modules?

Thanks, George

1 Solution

proctorgeorge
Path Finder

I finally found the answer, the "pingtarget" field was an extracted field that was still private to the search app. Thus every time I tested with the search app it worked but when it was outside in my new app it could not return results because "pingtarget" was unknown. I elevated the extracted field to Global and everything is working now.

LESSON LEARNED: Always elevate to Global!

View solution in original post

0 Karma

proctorgeorge
Path Finder

I finally found the answer, the "pingtarget" field was an extracted field that was still private to the search app. Thus every time I tested with the search app it worked but when it was outside in my new app it could not return results because "pingtarget" was unknown. I elevated the extracted field to Global and everything is working now.

LESSON LEARNED: Always elevate to Global!

0 Karma

sideview
SplunkTrust
SplunkTrust

Very interesting. Hard as this is for me to believe, it sounds like there's a bug when you use the eval function in stats, where the search language parser doesnt tell the search command to extract and summarize the 'Lost' field.

At any rate, when a search works in the flashtimeline view, but it doesnt work in some other view, the cause is usually the fact that the flashtimeline view (Specifically the modules in the sidebar), submits required_field_list=*, which is an API arg that tells splunkd to extract and summarize every field it possibly can.

That said I'm skeptical because this would be a pretty big bug and it should have been discovered long ago.

1) Here's how you test. Throw a Lost=* into the first search clause like so, and see if it starts working in your dashboard view:

index=ping sourcetype=ping Lost=* | stats count(eval(Lost=1)) AS LOST, count(eval(Lost=0)) AS NOTLOST by pingtarget

2) The other idea that springs to mind is maybe it's looking for fields called "1" and "2" in the dashboard view, but evaluating to the value 1 and 2 in flashtimeline. This makes even less sense but you can troubleshoot it easily by wrapping 1 and 2 in quotes.

one question: If you throw another SimpleResultsTable in there as a sibling of the HiddenPostProcess, but not as a child of the HiddenPostProcess, does that table render anything? If it does then it's possible the Job Inspector itself has gotten confused.

0 Karma

proctorgeorge
Path Finder

Thanks for the reply Nick,
Unfortunately none of your suggestions have fixed it. I am using 4.1.5! Was this issue fixed in 4.1.6/7?
The sibling Table is also showing nothing and pointing to the same 2nd half of the search.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...