Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

[RESOLVED] Search works manually but not in dashboard

ww9rivers
Contributor
‎12-13-2013 08:54 AM

[RESOLVED]: See notes below.

Below is a search I am using in a dashboard in a HiddenSearch module:

search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent

The dashboard shows "No results found."

When I hit "Inspect", I get a message like this:

This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:

the search string shown above with everything after the first | highlited.

over the time range:

[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]

generated no results.

But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.

Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.

Reply

ww9rivers
Contributor
‎12-13-2013 01:19 PM

[Resolved] This little issue wasted a few hours of mine!

I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.

Reply

cramasta
Builder
‎12-13-2013 12:17 PM

Might be a issue with special characters or maybe something with the spaces in the eval. Try this...

<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>

0 Karma
Reply

ww9rivers
Contributor
‎12-13-2013 01:21 PM

After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.

0 Karma
Reply

ww9rivers
Contributor
‎12-13-2013 11:54 AM

Yes, I'm using advanced XML.

Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:

  <param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
    | top asa_srcip, asa_dstip, asa_dstport
    | eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
    | fields Connection, count, percent
  </param>

I did change the "eval" line. But that was not the problem.

0 Karma
Reply

somesoni2
Revered Legend
‎12-13-2013 10:58 AM

Try removing "search" command from your search [start directly with index-....]

0 Karma
Reply

cramasta
Builder
‎12-13-2013 10:23 AM

are you using advanced xml?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...