Dashboards & Visualizations

Search is not working in the dashboard

VatsalJagani
SplunkTrust
SplunkTrust

I'm not sure why the below search works fine on the search page but gives "Search did not return any events." in the dashboard. (In Search page I'm using single $ sign)

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | eval encodedtitle=title | eval encodedtitle=urlencode | replace " " with "%20", "," with "%2C", "'" with "%27" in urlencode encodedtitle | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, encodedtitle, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| map maxsearches=1000 search="| rest /servicesNS/-/-/alerts/fired_alerts/$$encodedtitle$$ | dedup savedsearch_name sortby -trigger_time | table trigger_time_rendered, trigger_time | eval title=$$title$$, disabled=$$disabled$$, severity=$$severity$$, cron_schedule=$$cron_schedule$$, description=$$description$$, earliest_time=$$earliest_time$$, latest_time=$$latest_time$$, app=$$app$$, is_scheduled=$$is_scheduled$$, next_scheduled_time=$$next_scheduled_time$$, triggered_alert_count=$$triggered_alert_count$$"
| append [| makeresults | eval test="test"]

 

What is more surprising is, in the dashboard, even the value with make results is not showing. And there is no errors in the search.log.

I'm using Splunk version 8.0.4.1

Labels (1)
Tags (3)
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

Good idea: this is the solution, I'm thinking to propose to you.

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

Since encodedtitle is not an input token, you don't need double $.  Try single $ throughout the map command.

---
If this reply helps you, Karma would be appreciated.

VatsalJagani
SplunkTrust
SplunkTrust

Single $ gives " Search is waiting for input...".
(As you can see I've all the values from the results only no dashboard inputs/filters)

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

" Search is waiting for input..." means that at least one of the tokens hasn't a value.

Check the names of all tokens, maybe there's one non correct (they are case sensivite!)

A question: where do you take the tokens, from inputs or from a drilldown?

You have to use $ only if you take these values from inputs or drilldowns.

if you want to take tokens from the first part of search, you don't need $ (single or double).

Ciao.

Giuseppe

VatsalJagani
SplunkTrust
SplunkTrust

In the dashboard it shows "Search is waiting for input...", but when I click on "Open in Search" on that panel it shows correct result.

$ is being used to get values in from the first part of search to map command search.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

Are you using a post process search?

Ciao.

Giuseppe

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

No

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...