Reporting

Pivot not showing results even though clicking the "open in search" option shows results

Motivator

I'm building out a simple pivot data model with what I thought was a very straight forward search. When I first created the data model, and viewed it in the pivot view, it was displaying data. Then I added some child objects and now none of the objects display any results. But if I hit the "open in search" button (top right), the new search window that opens does in fact display results.

The search:
index=myindex source=mysource | dedup my_id sortby -_time

The children were basically coded to be data for only TODAY, Last30Days and Last7Days. This is when data stopped being displayed for any of the objects.

I've tried the following to make results come up again, with no success:

  • Deleting the children
  • Making a clone
  • Creating a brand new data model with the same root search
  • Changing the base search slightly:

index=myindex source=mysource earliest=-30d@d | dedup my_id sortby -_time

  • Using the "rebuild acceleration" option in the pivot page

None of the above changes have made results appear again on my pivot page. If I run the searches in a flashtimeline view I get results. And like I said, I even get results by using the "open in search" button from the pivot page.

Any ideas how to get results to start displaying again?

I believe this is a bug.

===== UPDATE =====

I have now also tried the following:
- Restarting the search head
- Deleting ALL the data models and creating a new one

The second one has given me mixed results. When I open the pivot view based on the data model and object, I don't get any results. But sometimes when I refresh (F5) the pivot view, I will get results, other times when I refresh I still don't get any results. If I close the pivot view and reopen it then it goes back to having no results.

This inconsistent behavior has got to be a bug...

===== UPDATE 2 =====

I managed to get a pivot that was showing data and I could change the split rows and column values around and still got data. I shared the link with a coworker but he didn't get any data... (and yes, I made sure to make the data model have app level permissions)

Tags (2)

Path Finder

did this ever get resolved??

0 Karma

Motivator

No resolution that I'm aware of. We had to go with a different solution

0 Karma

Splunk Employee
Splunk Employee

Could you attach the .json file for the data model you're working with? If it's shared at the app level, you should be able to find it at /etc/apps//local/data/models/.json

0 Karma

Builder

I'm having the same issue, but with the CIM datamodels. CIM app version 4.2.0, tested on Splunk 6.2.6 and 6.3.0 with same result.

When I view the datamodels for the CIM app in pivot, I get no results, but if I click "Open in search" on that same pivot it does show the results.

0 Karma

Did you ever find a resolution to the problem? I've also been encountering the same problem with CIM 4.2 and Splunk 6.3, and haven't found a way around the issue yet.

0 Karma

Builder

Never found a complete explanation or solution. I find that when I'm not getting results in a pivot, if I turn on datamodel acceleration sometimes I start getting results in the pivot.

0 Karma

Motivator

@btorresgil and @svaughnbehrens , I never got a solution to this problem. We moved away from pivots for this particular solution.

0 Karma

Splunk Employee
Splunk Employee

So far I'm not able to reproduce the problem. I modified your data model to have the following base search:

index=_internal source=*splunkd_access.log earliest=-30d@d | dedup date_hour sortby -_time

The results always show up in pivot. I can add a child with a custom constraint and everything works fine. Is there anything special about the data you're using?

0 Karma

Path Finder

sorry to jump on this thread, but how do you create a data model with "|" pipe in the base search? I keep getting errors that "|" pipe is not allowed. I used your reference to json to find the data model and edited it and it still said pipes were not allowed. I want to do pretty much the same thing your example had and dedup the base search.

0 Karma

Motivator

I attached the file to the ticket and sent it to you personally as well. Let me know when you have had a chance to look at it. Thanks

0 Karma

Splunk Employee
Splunk Employee

Sorry about that: sfishel@splunk.com. I'm not with support but I was one of the engineers on the pivot project.

You should definitely attach the file to the open ticket, and if you don't mind sending it to me as well I can start looking into it.

0 Karma

Motivator

Can't seem to find your contact info... Are you Splunk support? I can attach the file to the open ticket if you are.

0 Karma

Splunk Employee
Splunk Employee

Hmm yeah I guess you can't attach files, only images. If you don't want to paste the contents, you can email the file to me.

0 Karma

Motivator

I'm not sure how to attach a file...

And I don't just want to paste the contents because it's actually really long (600+ lines)

0 Karma