Dashboards & Visualizations

Why is the user unable to see the results for the dashboard?

carlyleadmin
Contributor

I have a really weird problem. I have 3 users that cannot see the results on a dashboard that i've created, it says "No results found". When I click on open in search and run it there the results come in. I looked into job, inspect and cannot find anything that why this is happening.
When I inspect the job this is what I get:

This search has completed and found 594 matching events. However, the transforming commands in the highlighted portion of the following search:

search index="pas" host="pa1pv" Name="C:" OR Name="D:" OR Name="E:" OR Name="P:" FreeSpace | eval DiskFreeSpace = round((FreeSpace/1024/1024/1024), 2) | eval DiskSpace = round((Size/1024/1024/1024),2) | rename Name AS Disk host AS Host | table Host,Disk,DiskSpace,DiskFreeSpace | dedup Disk
over the time range:

5/28/18 11:00:00.000 AM – 5/29/18 11:43:24.000 AM
generated no results. Possible solutions are to:

check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:

INFO: No matching fields exist.

User has the same privileges as me and by the way the highlighted part is | table Host,Disk,DiskSpace,DiskFreeSpace | dedup Disk

Next I decided to take the source code for the dashboard and created the same dashboard with a different name but this time i had the user create the dashboard, and the result was the same. Then i thought maybe there is a problem with extractions, so I found another dashboard with no extractions on it and had the user create the same dashboard and still issue was there. When the user goes to dashboard, it gets "No results found" but when opening the same dashboard search from search, the results come in.

And for the failing dashboards when I look into jobs, it is always the same error as above and usually the error is in table command.

Next, I looked into search log for the query that runs under jobs and I looked for Error and the only difference that I can find from the logs between the same job that I ran and the user ran is below:

ERROR SearchResultsWriter - Unable to open output file: path=C:\Program Files\Splunk\var\run\splunk\dispatch\_dmVlcmFuamFuZXl1bHUubWFra2VuYS5jd0BjYXJseWxlLmNvbQ_dmVlcmFuamFuZXl1bHUubWFra2VuYS5jd0BjYXJseWxlLmNvbQ__search__search1_1527608604.658154\prereport_99d3ce4676a3f904_0.csv.gz.ED59C342-22E5-470D-B6C0-89CD922229FB.tmp error=The system cannot find the path specified.

But then when I search this error on the web it talks about character limit etc which does not apply to me.

Like I said the user has the same access as I have and if he didn't he wouldn't be able to see the dashboards or antyhingalt text

Our Environment is AD auth integrated.

I know that it will be very hard to pinpoint the issue here, but I am curious to see if anyone had a similar issue like I have and know where to look or know of any other additional troubleshooting steps that I need to perform.

Thanks

0 Karma
1 Solution

carlyleadmin
Contributor

Just a quick update.i did not find the root cause but i did find a work around to the problem. i simply add stats command before the table command on my search query and save it as a dashboard that way and my users are now able to see the results in the dashboard.

it is complaining about the table command in my search but i do not know why.

Thanks for all who took the time to help me

View solution in original post

0 Karma

carlyleadmin
Contributor

Just a quick update.i did not find the root cause but i did find a work around to the problem. i simply add stats command before the table command on my search query and save it as a dashboard that way and my users are now able to see the results in the dashboard.

it is complaining about the table command in my search but i do not know why.

Thanks for all who took the time to help me

0 Karma

somesoni2
Revered Legend

See if the role of the user(s) having issue can search the index 'pa' (for their roles, see if index pa is added to Indexes section).

0 Karma

carlyleadmin
Contributor

yes they can.like i said this is really odd.the users have the same access and roles assigned to them as i have.

like i said,i don't think this is a permission issue but again who knows.but here are some of the facts;
1-user has same access as i have.roles,index section etc)
2-user can search, bring results with the same search query that i use,but when the user tries to save the search as a dashboard,he cannot see the results in the dashboard.then user can clcik on "open in search" under the dashboard panel that he just created and search results come up.
3-when i look at the job and inspect it, it gives the error i mentioned and |table command is highlighted
4-i started a new search(totally a different one from the above mentioned example) with the user using table command and the results come in,but again,saving the search as dashboard same issue.and when i go to the dashboard that my user just created with my account,i can see the results in dashboard but the user can not.

5-then i saved the same search query as report and was able to see the report with results as expected.(using the user account that is having issue)

6-finally i took the same search and instead of using table,i used chart command and save it as dashboard and my user can see the dashboard when he goes to it.

index=pa host=11pv sourcetype="WinEventLog:System" restart EventCode=1074|chart count(Message) by host

so,the million dollar question is,why in the hell is it complaining about the table command for those 3 users,when my other 10 users including myself can open up the same saved dashboard and can see the results?this just does not make sense.all my 13 users have the same roles permission etc assigned to them.

i will keep you updated if i ever find out the root cause.

Thanks

0 Karma

xpac
SplunkTrust
SplunkTrust

Take the search string an search with it on your browser. Have your user do the same. It should produce different results, i.e. fail for him/her.
Next step, starting from the end, remove everything up to and including the first pipe. Search again in both browsers. Do that until you get to a point where both of you get the same results.
Tell us what has then remained from your search string. 😉

0 Karma

carlyleadmin
Contributor

Xpac,

search on a browser works.the problem is,if i take a search let's say;

index=pa host=11pv sourcetype="WinEventLog:System" restart EventCode=1074|table host Message

it comes with results,but when i save this search as dashboard,and go to that dashboard i get " No results Found".then i look into job and inspect and that's where i see the original error that posted above.

"This search has completed and found 13 matching events. However, the transforming commands in the highlighted portion of the following search:" table host message part is highlighted in my search query.

but like i said after opening the dashboard and getting no results i click on "open in search"under the dashboard panel and when the it opens up in a new window i select time range or just search again and the results come in,so i don't think your answer will help me.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...