Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Unable to create search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in Splunk Enterprise trying to create a Dashboard in the source code.
When I input the below code it says on the UI "Unable to create search" in regards to the User: All section
Is this a user role restriction preventing me from searching all users or something else? It does not have any errors in the edit source page.
Below Code:
<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input><fieldForLabel>user1</fieldForLabel> This field is not returned by your query | stats count by user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer Does that mean I need to modify the query or have that index=_audit added to my account privileges? Why is that field not being returned by the query? This specific dashboard is rated highly on GoSplunk with no comments of failure so I am not sure why that query wouldn't work on my Splunk Enterprise when it worked for others. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this dashboard as defined is working for others, then I suspect the fieldForLabel will be using the value in the fieldForValue is the field doesn't exist. In that case, it is more likely to be that you don't have permissions to access the index as @somesoni2 has already pointed out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
