Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Troubleshooting help - Report fails, but query runs in search

deepak02
Path Finder
‎05-17-2017 07:27 AM

Hi,

We have a query like this:

app="SampleApp" env="PROD" "SalesDashboard" 
| rex field=_raw "\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d+\s\|\s\w+\s\s\|\s\[\w+\]\s\|\s\[\w+\.\w+\.\w+\]\s\|\s((?<SaleName>\w+)\,)?(?<Date>\d+\-\d+\-\d+)\,(?<SaleID>\w+)\,(?<BusinessType>\w+)\,(?<SaleType>\w+)\,(?<SaleStatus>\w+)\,(?<SaleCount>\d+)" 
| fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount 
| where isnotnull(Date) AND isnotnull(SaleID) AND isnotnull(BusinessType) AND isnotnull(SaleType) AND isnotnull (SaleStatus) AND isnotnull(SaleCount) 
| table SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

The query runs when I go to Reports -> Open in Search
- Refer below for screenshot
The query fails when I go into the report(Sales Dashboard) -> Edit -> Open in Search. The error thrown is 'No matching fields exist'.
- Refer below for screenshot

alt text
When I go into 'Inspect Job':

Value when the query works in Reports -> Open in Search

  • search (app="SampleApp" env="PROD" "SalesDashboard") | rex field=_raw "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d+\s|\s\w+\s\s|\s[\w+]\s|\s[\w+.\w+.\w+]\s|\s((?\w+)\,)?(?\d+-\d+-\d+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\d+)" | where (((((isnotnull(Date) AND isnotnull(SaleID)) AND isnotnull(BusinessType)) AND isnotnull(SaleType)) AND isnotnull(SaleStatus)) AND isnotnull(SaleCount)) | fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

Value when the query fails in report (Sales Dashboard)-> Edit -> Open in Search

  • This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

alt text

over the time range: 5/17/17 12:00:00.000 AM - 5/17/17 9:00:00.000 AM did not return any data.

Possible solutions are to:
• relax the primary search criteria
• widen the time range of the search
• check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:
• info : No matching fields exist

Please help me troubleshoot.
NOTE: I am using Splunk Enterprise.

Thanks,
Deepak

Tags (1)
Preview file
28 KB
Preview file
15 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎05-17-2017 11:15 AM

The problem may be the app in which the searches/dashboard are running (they are different between the 2). You can easily tell this by show us the 2 URLs up until the first question mark.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...