Solved: Fields missing only when queried via SDK / Rest AP...

ardave · ‎09-29-2014

I have a query to average out the performance of requests each individual server for the last one minutes, as follows:

index=iis earliest=-1m host=group1_* OR host=group2_*  | STATS avg(time_taken) as Value BY host | EVAL counter="Server Response Time" | fields + host, Value, counter

This works fine via the Splunk Web/UI but the exact same query yields no "Value" column when submitted via the SDK.

So this query returns exactly what I want/expect via Splunk web access: three columns: one for the host/server name, one for the average of the time_taken fields for that host, and one column containing the literal "Server Response Time", just so that the client code that I'm writing (via the Splunk C# SDK v2.0.0) can distinguish the results of this query from other queries.

However, I can't get the REST API to return any values for for the "Value" column. I've mimicked the code sample from the C# SDK found in root\examples\normal-search\Program.cs, using the example of the "Pull Model" code sample.

And my code works fine for other Splunk queries; just not this query with the "STATS avg(...)" clause.

Interestingly, the Splunk.Client.SearchResult object does have an entry in its .FieldNames collection named "Value", but the dynamic object itself never has a .Value property, nor can I find anything resembling the Value column I see just fine when running the same query within the Web/UI. I can however find all other columns in the dynamic object.

Additionally, I looked at the request to the REST API itself and it appears as though the "Value" field is defined differently than the other fields, "host" and "counter", but I cannot understand the reasons why.

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder>
<field groupby_rank="0">host</field>
<field>Value</field>
<field type="str">counter</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>
    <result offset='1'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>

and so on.

Thank you in advance for any help!

musskopf · ‎10-06-2014

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

View solution in original post

musskopf · ‎10-06-2014

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

musskopf · ‎09-30-2014

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

ardave · ‎10-03-2014

It did indeed turn out to be a permissions issue. If you like, make this into a full answer and I will gladly accept it. Either way, thanks!

trustin · ‎12-15-2014

Could you show me how to define the scope as global? Thanks so much!

ardave · ‎09-30-2014

That's a good idea to try. Unfortunately "Foo" doesn't work either, as in: index=iis earliest=-1m host=group1_* OR host=group2_** | STATS avg(time_taken) as Foo BY host | EVAL counter="Server Response Time" | fields + host, Foo, counter
My guess is that something to do with "STATS" or "avg" or the piping is preventing the field from being returned, but I haven't been able to figure out how to overcome.

sk314 · ‎09-29-2014

Have you tried using some other name instead of Value (say avg_time_taken or so)?

Fields missing only when queried via SDK / Rest API

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)