Dashboards & Visualizations

Search is not working in the dashboard

VatsalJagani
Champion

I'm not sure why the below search works fine on the search page but gives "Search did not return any events." in the dashboard. (In Search page I'm using single $ sign)

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | eval encodedtitle=title | eval encodedtitle=urlencode | replace " " with "%20", "," with "%2C", "'" with "%27" in urlencode encodedtitle | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, encodedtitle, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| map maxsearches=1000 search="| rest /servicesNS/-/-/alerts/fired_alerts/$$encodedtitle$$ | dedup savedsearch_name sortby -trigger_time | table trigger_time_rendered, trigger_time | eval title=$$title$$, disabled=$$disabled$$, severity=$$severity$$, cron_schedule=$$cron_schedule$$, description=$$description$$, earliest_time=$$earliest_time$$, latest_time=$$latest_time$$, app=$$app$$, is_scheduled=$$is_scheduled$$, next_scheduled_time=$$next_scheduled_time$$, triggered_alert_count=$$triggered_alert_count$$"
| append [| makeresults | eval test="test"]

 

What is more surprising is, in the dashboard, even the value with make results is not showing. And there is no errors in the search.log.

I'm using Splunk version 8.0.4.1

Labels (1)
Tags (3)
1 Solution

VatsalJagani
Champion

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title

View solution in original post

0 Karma

VatsalJagani
Champion

I figured out a work-around:

Instead of using the map command and rest endpoint, I've used below search with the append command.

 

index=_internal sourcetype="scheduler" component="SavedSplunker"

 

And at the end, I'm using stats to get what I need.

 

Something like:

| rest /servicesNS/-/-/saved/searches | search disabled=0 is_scheduled=1 | rename "alert.severity" as severity, "dispatch.earliest_time" as earliest_time, "dispatch.latest_time" as latest_time, "eai:acl.app" as app | fields title, disabled, severity, cron_schedule, description, earliest_time, latest_time, app, is_scheduled, next_scheduled_time, triggered_alert_count 
| append [| search index=_internal sourcetype="scheduler" component="SavedSplunker" | rename savedsearch_name as title]
| stats first(*) as * by title
0 Karma

gcusello
Esteemed Legend

Hi @VatsalJagani,

Good idea: this is the solution, I'm thinking to propose to you.

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

Since encodedtitle is not an input token, you don't need double $.  Try single $ throughout the map command.

---
If this reply helps you, Karma would be appreciated.

VatsalJagani
Champion

Single $ gives " Search is waiting for input...".
(As you can see I've all the values from the results only no dashboard inputs/filters)

gcusello
Esteemed Legend

Hi @VatsalJagani,

" Search is waiting for input..." means that at least one of the tokens hasn't a value.

Check the names of all tokens, maybe there's one non correct (they are case sensivite!)

A question: where do you take the tokens, from inputs or from a drilldown?

You have to use $ only if you take these values from inputs or drilldowns.

if you want to take tokens from the first part of search, you don't need $ (single or double).

Ciao.

Giuseppe

VatsalJagani
Champion

In the dashboard it shows "Search is waiting for input...", but when I click on "Open in Search" on that panel it shows correct result.

$ is being used to get values in from the first part of search to map command search.

0 Karma

gcusello
Esteemed Legend

Hi @VatsalJagani,

Are you using a post process search?

Ciao.

Giuseppe

0 Karma

VatsalJagani
Champion

No

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...