Getting Data In

Fields missing only when queried via SDK / Rest API

ardave
Explorer

I have a query to average out the performance of requests each individual server for the last one minutes, as follows:

index=iis earliest=-1m host=group1_* OR host=group2_*  | STATS avg(time_taken) as Value BY host | EVAL counter="Server Response Time" | fields + host, Value, counter

This works fine via the Splunk Web/UI but the exact same query yields no "Value" column when submitted via the SDK.

So this query returns exactly what I want/expect via Splunk web access: three columns: one for the host/server name, one for the average of the time_taken fields for that host, and one column containing the literal "Server Response Time", just so that the client code that I'm writing (via the Splunk C# SDK v2.0.0) can distinguish the results of this query from other queries.

However, I can't get the REST API to return any values for for the "Value" column. I've mimicked the code sample from the C# SDK found in root\examples\normal-search\Program.cs, using the example of the "Pull Model" code sample.

And my code works fine for other Splunk queries; just not this query with the "STATS avg(...)" clause.

Interestingly, the Splunk.Client.SearchResult object does have an entry in its .FieldNames collection named "Value", but the dynamic object itself never has a .Value property, nor can I find anything resembling the Value column I see just fine when running the same query within the Web/UI. I can however find all other columns in the dynamic object.

Additionally, I looked at the request to the REST API itself and it appears as though the "Value" field is defined differently than the other fields, "host" and "counter", but I cannot understand the reasons why.

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder>
<field groupby_rank="0">host</field>
<field>Value</field>
<field type="str">counter</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>
    <result offset='1'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>

and so on.

Thank you in advance for any help!

Tags (3)
0 Karma
1 Solution

musskopf
Builder

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

View solution in original post

musskopf
Builder

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

musskopf
Builder

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

0 Karma

ardave
Explorer

It did indeed turn out to be a permissions issue. If you like, make this into a full answer and I will gladly accept it. Either way, thanks!

0 Karma

trustin
New Member

Could you show me how to define the scope as global? Thanks so much!

0 Karma

ardave
Explorer

That's a good idea to try. Unfortunately "Foo" doesn't work either, as in: index=iis earliest=-1m host=group1_* OR host=group2_** | STATS avg(time_taken) as Foo BY host | EVAL counter="Server Response Time" | fields + host, Foo, counter
My guess is that something to do with "STATS" or "avg" or the piping is preventing the field from being returned, but I haven't been able to figure out how to overcome.

0 Karma

sk314
Builder

Have you tried using some other name instead of Value (say avg_time_taken or so)?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...