I'm building out a simple pivot data model with what I thought was a very straight forward search. When I first created the data model, and viewed it in the pivot view, it was displaying data. Then I added some child objects and now none of the objects display any results. But if I hit the "open in search" button (top right), the new search window that opens does in fact display results.
index=myindex source=mysource | dedup my_id sortby -_time
The children were basically coded to be data for only TODAY, Last30Days and Last7Days. This is when data stopped being displayed for any of the objects.
I've tried the following to make results come up again, with no success:
index=myindex source=mysource earliest=-30d@d | dedup my_id sortby -_time
None of the above changes have made results appear again on my pivot page. If I run the searches in a flashtimeline view I get results. And like I said, I even get results by using the "open in search" button from the pivot page.
Any ideas how to get results to start displaying again?
I believe this is a bug.
===== UPDATE =====
I have now also tried the following:
- Restarting the search head
- Deleting ALL the data models and creating a new one
The second one has given me mixed results. When I open the pivot view based on the data model and object, I don't get any results. But sometimes when I refresh (F5) the pivot view, I will get results, other times when I refresh I still don't get any results. If I close the pivot view and reopen it then it goes back to having no results.
This inconsistent behavior has got to be a bug...
===== UPDATE 2 =====
I managed to get a pivot that was showing data and I could change the split rows and column values around and still got data. I shared the link with a coworker but he didn't get any data... (and yes, I made sure to make the data model have app level permissions)
I'm having the same issue, but with the CIM datamodels. CIM app version 4.2.0, tested on Splunk 6.2.6 and 6.3.0 with same result.
When I view the datamodels for the CIM app in pivot, I get no results, but if I click "Open in search" on that same pivot it does show the results.
So far I'm not able to reproduce the problem. I modified your data model to have the following base search:
index=_internal source=*splunkd_access.log earliest=-30d@d | dedup date_hour sortby -_time
The results always show up in pivot. I can add a child with a custom constraint and everything works fine. Is there anything special about the data you're using?
sorry to jump on this thread, but how do you create a data model with "|" pipe in the base search? I keep getting errors that "|" pipe is not allowed. I used your reference to json to find the data model and edited it and it still said pipes were not allowed. I want to do pretty much the same thing your example had and dedup the base search.
Sorry about that: firstname.lastname@example.org. I'm not with support but I was one of the engineers on the pivot project.
You should definitely attach the file to the open ticket, and if you don't mind sending it to me as well I can start looking into it.