Troubleshooting help - Report fails, but query runs in search

Path Finder


We have a query like this:

app="SampleApp" env="PROD" "SalesDashboard" 
| rex field=_raw "\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d+\s\|\s\w+\s\s\|\s\[\w+\]\s\|\s\[\w+\.\w+\.\w+\]\s\|\s((?<SaleName>\w+)\,)?(?<Date>\d+\-\d+\-\d+)\,(?<SaleID>\w+)\,(?<BusinessType>\w+)\,(?<SaleType>\w+)\,(?<SaleStatus>\w+)\,(?<SaleCount>\d+)" 
| fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount 
| where isnotnull(Date) AND isnotnull(SaleID) AND isnotnull(BusinessType) AND isnotnull(SaleType) AND isnotnull (SaleStatus) AND isnotnull(SaleCount) 
| table SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

The query runs when I go to Reports -> Open in Search
- Refer below for screenshot
The query fails when I go into the report(Sales Dashboard) -> Edit -> Open in Search. The error thrown is 'No matching fields exist'.
- Refer below for screenshot

alt text
When I go into 'Inspect Job':

Value when the query works in Reports -> Open in Search

  • search (app="SampleApp" env="PROD" "SalesDashboard") | rex field=_raw "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d+\s|\s\w+\s\s|\s[\w+]\s|\s[\w+.\w+.\w+]\s|\s((?\w+)\,)?(?\d+-\d+-\d+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\d+)" | where (((((isnotnull(Date) AND isnotnull(SaleID)) AND isnotnull(BusinessType)) AND isnotnull(SaleType)) AND isnotnull(SaleStatus)) AND isnotnull(SaleCount)) | fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

Value when the query fails in report (Sales Dashboard)-> Edit -> Open in Search

  • This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

alt text

over the time range: 5/17/17 12:00:00.000 AM - 5/17/17 9:00:00.000 AM did not return any data.

Possible solutions are to:
• relax the primary search criteria
• widen the time range of the search
• check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:
• info : No matching fields exist

Please help me troubleshoot.
NOTE: I am using Splunk Enterprise.


Tags (1)
0 Karma

Esteemed Legend

The problem may be the app in which the searches/dashboard are running (they are different between the 2). You can easily tell this by show us the 2 URLs up until the first question mark.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...