Dashboards & Visualizations

Search is not working in the dashboard

VatsalJagani
Motivator

I'm not sure why the below search works fine on the search page but gives "Search did not return any events." in the dashboard. (In Search page I'm using single $ sign)

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | eval encodedtitle=title | eval encodedtitle=urlencode | replace " " with "%20", "," with "%2C", "'" with "%27" in urlencode encodedtitle | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, encodedtitle, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| map maxsearches=1000 search="| rest /servicesNS/-/-/alerts/fired_alerts/$$encodedtitle$$ | dedup savedsearch_name sortby -trigger_time | table trigger_time_rendered, trigger_time | eval title=$$title$$, disabled=$$disabled$$, severity=$$severity$$, cron_schedule=$$cron_schedule$$, description=$$description$$, earliest_time=$$earliest_time$$, latest_time=$$latest_time$$, app=$$app$$, is_scheduled=$$is_scheduled$$, next_scheduled_time=$$next_scheduled_time$$, triggered_alert_count=$$triggered_alert_count$$"
| append [| makeresults | eval test="test"]

 

What is more surprising is, in the dashboard, even the value with make results is not showing. And there is no errors in the search.log.

I'm using Splunk version 8.0.4.1

Labels (1)
Tags (3)
1 Solution

VatsalJagani
Motivator

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title

View solution in original post

0 Karma

VatsalJagani
Motivator

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

Good idea: this is the solution, I'm thinking to propose to you.

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

Since encodedtitle is not an input token, you don't need double $.  Try single $ throughout the map command.

---
If this reply helps you, an upvote would be appreciated.

VatsalJagani
Motivator

Single $ gives " Search is waiting for input...".
(As you can see I've all the values from the results only no dashboard inputs/filters)

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

" Search is waiting for input..." means that at least one of the tokens hasn't a value.

Check the names of all tokens, maybe there's one non correct (they are case sensivite!)

A question: where do you take the tokens, from inputs or from a drilldown?

You have to use $ only if you take these values from inputs or drilldowns.

if you want to take tokens from the first part of search, you don't need $ (single or double).

Ciao.

Giuseppe

VatsalJagani
Motivator

In the dashboard it shows "Search is waiting for input...", but when I click on "Open in Search" on that panel it shows correct result.

$ is being used to get values in from the first part of search to map command search.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

Are you using a post process search?

Ciao.

Giuseppe

0 Karma

VatsalJagani
Motivator

No

0 Karma