Dashboards & Visualizations

Why is my dashboard displaying N/A for a single value panel when using the base search id?

bruceclarke
Contributor

I have a dashboard with one base search that drives a bunch of panels. To clean up the XML, make the dashboard easier to edit, and maybe make the dashboard a little performant, I am using a base search to drive these panels. The relevant XML is below:

<!-- We use this search to cache values for the searches below -->
<search id="exceptionInformation">
  <query>index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1</query>
  <earliest>$timeRange.earliest$</earliest>
  <latest>$timeRange.latest$</latest>
</search>

...

<!-- This panel returns "N/A" but actually returns the correct results when I click the icon to run it in the search app -->
<panel>
  <title>Associated Request ID</title>
  <single>
    <search base="exceptionInformation">
      <query>search * | rename ExtractedMetadata.requestId as RequestId | table RequestId</query>
      <earliest>$timeRange.earliest$</earliest>
      <latest>$timeRange.latest$</latest>
    </search>
  </single>
</panel>

...

<!-- This panel works just fine. It returns the same results regardless of if I'm looking at it in the dashboard or in the search app -->
<panel>
  <title>Exception Inner Stack Trace</title>
  <table>
    <search base="exceptionInformation">
      <query>search * | eval stackTrace=coalesce('CanonicalException.InnerException.StackTrace','CanonicalException.StackTrace') | eval stackTrace=replace(stackTrace," at ", " <NEWLINE> at ") | makemv delim=" <NEWLINE> " stackTrace | rename stackTrace as "Inner Stack Trace" | table "Inner Stack Trace"</query>
      <earliest>$timeRange.earliest$</earliest>
      <latest>$timeRange.latest$</latest>
    </search>
    <option name="linkView">search</option>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">none</option>
    <option name="count">10</option>
  </table>
</panel>

As I mentioned in the comments above, the base search works fine for the last "table" panel, but doesn't work correctly for the "single" panel. Is this a bug in Splunk? Has anybody seen this behavior before? Any help/workarounds would be greatly appreciated.

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Change your base search query with this and test

index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1 | table *

View solution in original post

woodcock
Esteemed Legend

Official SplunkFu (http://image.slidesharecdn.com/splunkninjas-newfeaturespivotandsearchdojo-150312174437-conversion-ga...) says to do the rename last so try this:

   <query>table RequestId | rename ExtractedMetadata.requestId AS RequestId</query>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Change your base search query with this and test

index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1 | table *

woodcock
Esteemed Legend

The XML-based dashboards require ampersand, less-than, and greater-than to be URL-encoded so you need to change:

<NEWLINE>

to this:

&lt;NEWLINE&gt;
0 Karma

bruceclarke
Contributor

I should have simplified the search example, but rest assured the searches are URL-encoded properly. Moreover, that is the panel that actually works exactly as I would expect. It's the single panel that I'm seeing issues with

0 Karma

woodcock
Esteemed Legend

Remove the search * | strings from your `` lines.

0 Karma

bruceclarke
Contributor

Unfortunately, I still get the same results, "N/A" is displayed for the single panels. Nice to know that the search * command isn't needed though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...