Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my dashboard displaying N/A for a single value panel when using the base search id?

bruceclarke
Contributor
‎10-19-2015 09:50 AM

I have a dashboard with one base search that drives a bunch of panels. To clean up the XML, make the dashboard easier to edit, and maybe make the dashboard a little performant, I am using a base search to drive these panels. The relevant XML is below:

<!-- We use this search to cache values for the searches below -->
<search id="exceptionInformation">
  <query>index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1</query>
  <earliest>$timeRange.earliest$</earliest>
  <latest>$timeRange.latest$</latest>
</search>

...

<!-- This panel returns "N/A" but actually returns the correct results when I click the icon to run it in the search app -->
<panel>
  <title>Associated Request ID</title>
  <single>
    <search base="exceptionInformation">
      <query>search * | rename ExtractedMetadata.requestId as RequestId | table RequestId</query>
      <earliest>$timeRange.earliest$</earliest>
      <latest>$timeRange.latest$</latest>
    </search>
  </single>
</panel>

...

<!-- This panel works just fine. It returns the same results regardless of if I'm looking at it in the dashboard or in the search app -->
<panel>
  <title>Exception Inner Stack Trace</title>
  <table>
    <search base="exceptionInformation">
      <query>search * | eval stackTrace=coalesce('CanonicalException.InnerException.StackTrace','CanonicalException.StackTrace') | eval stackTrace=replace(stackTrace," at ", " <NEWLINE> at ") | makemv delim=" <NEWLINE> " stackTrace | rename stackTrace as "Inner Stack Trace" | table "Inner Stack Trace"</query>
      <earliest>$timeRange.earliest$</earliest>
      <latest>$timeRange.latest$</latest>
    </search>
    <option name="linkView">search</option>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">none</option>
    <option name="count">10</option>
  </table>
</panel>

As I mentioned in the comments above, the base search works fine for the last "table" panel, but doesn't work correctly for the "single" panel. Is this a bug in Splunk? Has anybody seen this behavior before? Any help/workarounds would be greatly appreciated.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-19-2015 11:31 AM

Change your base search query with this and test

index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1 | table *

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-19-2015 11:50 AM

Official SplunkFu (http://image.slidesharecdn.com/splunkninjas-newfeaturespivotandsearchdojo-150312174437-conversion-ga...) says to do the rename last so try this:

   <query>table RequestId | rename ExtractedMetadata.requestId AS RequestId</query>
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-19-2015 11:31 AM

Change your base search query with this and test

index=errors sourcetype=dotNetExceptions ExtractedMetadata.id=$exceptionId$ | head 1 | table *
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-19-2015 11:10 AM

The XML-based dashboards require ampersand, less-than, and greater-than to be URL-encoded so you need to change:

<NEWLINE>

to this:

&lt;NEWLINE&gt;
0 Karma
Reply
Solved! Jump to solution

bruceclarke
Contributor
‎10-19-2015 11:24 AM

I should have simplified the search example, but rest assured the searches are URL-encoded properly. Moreover, that is the panel that actually works exactly as I would expect. It's the single panel that I'm seeing issues with

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-19-2015 10:16 AM

Remove the search * | strings from your `` lines.

0 Karma
Reply
Solved! Jump to solution

bruceclarke
Contributor
‎10-19-2015 10:35 AM

Unfortunately, I still get the same results, "N/A" is displayed for the single panels. Nice to know that the search * command isn't needed though.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...