Dashboards & Visualizations

Metadata as a drill-down search

sf_user_199
Path Finder

I have a drilldown search on a dashboard that I am calling like this:

<module name="HiddenSearch">
    <param name="search">| metadata type=hosts index=* | <more search here></param>

This search works when run manually, but no results are returned when used on the dashboard. If you open search inspector:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

None | metadata type=hosts index=* | <more search here>

I've used | Metadata on dashboards before, and this hasn't caused an issue previously. Sometimes I've used a macro os saved search to get it to work, but neither approach is working in this use case.

Any suggestions?

0 Karma

Drainy
Champion

One other option, I think it was pre-v5 Metadata would run over alltime, post v5 (possible 4.3) it now requires a time range to search over, after upgrade I actually had a few dashboards fail completely as they previously worked on the assumption of an all time search, but then I had to start specifying a time range (at least if my memory serves me right thats the way round it was)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Not sure why it's not working without experiment, but you could do something "odd".

|metadata type=hosts index=* | outputlookup tmp_meta.csv | inputlookup append=t tmp_meta.csv | more_search_here

The idea behind this is that "metadata" doesn't return "actual events", and as such, can't do more searching on them. So I believe you can write to a lookup with metadata, and then input those values, turning them into "actual events" that can then have extra search stuff applied. I think. Give it a whirl and see if it helps.

nmistry_splunk
Splunk Employee
Splunk Employee

It works fine for me. Could you share your dashboard xml?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...