Reporting

Unable to see report in Searches, Reports, and Alerts UI

_pravin
Communicator

Hi All,

 

I am having a very wierd issue where I cannot see report in Splunk UI.

When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, and alerts found'.

This couldn't be the case of visibilty as the configuration isn't set in the conf file. These are the set specs in the conf file, attched below for reference.

_pravin_3-1701257706588.png

I have also attached the metadata file as there is no access control information set for the specific saved search. There are 6 more savedsearches which I can see when I filter using Report, but not this sepcific one.

_pravin_2-1701257643596.png

 

_pravin_0-1701257230043.png

_pravin_1-1701257361037.png

No clue how the report is not found during the filter.

 

Thanks in advance.

 

Pravin

Labels (2)
0 Karma
1 Solution

_pravin
Communicator

Hi @gcusello ,

 

I got notifed that this is a bug in Splunk.

Known issues - Splunk Documentation

UNDEFINED keyword shouldn't be used to replace empty cells.

 

Thanks,

Pravin

View solution in original post

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

I got notifed that this is a bug in Splunk.

Known issues - Splunk Documentation

UNDEFINED keyword shouldn't be used to replace empty cells.

 

Thanks,

Pravin

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @_pravin,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin ,

are you sure that these reports and alerts are shared at app level and they are in Search and Reporting App?

try to delesect the app in the search dropdown filter setting All.

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

Thanks for responding.

I figured out that the report was not being shown because of the eval command in the search. ( marked in red)

_pravin_0-1701280226133.png

When I remove the line and save the report, I can see the report when the filter is applied.

Not sure how could the eval command affect the report.

 

Regards,

Pravin

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @_pravin .

probably the eval doesn't always match so all the other commands, that use the Module field don't work.

Check if you really need this conditiion and try to replace with the isnull() function.

ciao.

Gioseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

Even I feel that the eval command doesn't always match and so the SPL is not working.

I tried the isnull(), len()>0, and even reversing the condition to look for empty cells, but neither of them worked.

 

Thanks,

Pravin

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin,

please debug your search deleting all the raws until raw before the eval command: what's the value of the Module field?

have you empty values or not?

Please, share your search also in text format.

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

The SPL is actually a report, so the data has not even been sent to the function t has been invoked. 

I tried to add just the one line to the report and noticed that the report just disappears. 

_pravin_0-1701347582168.png

I am also attaching the code below

| mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ 
| rename module.names as Module 
| rename host as Hostname 
| rename severity as lvl 
| rename pid as PID 
| eval Module=if(Module!="",Module,"UNDEFINED") 
| eval temp=split(Module,",") 
| mvexpand temp 
| eval recipient=("MX_MONITORING_".temp . "@mx.com") 
| fields - temp 
| rename _time as timestamp 
| mvcombine delim="," recipient 
| rename timestamp as _time 
| fields _time count PID service.name replica.name service.type Module lvl Hostname cmd mx.env recipient 
| sort 0 - _time 
| stats values(service.name) as Services values(replica.name) as Replicas values(PID) as PIDs values(Hostname) as Hosts sum(count) as Count_Of_Errors earliest_time(replica.name) as Earliest_Error_Time latest_time(replica.name) as Latest_Error_Time values(lvl) as Severities values(recipient) as Owners by Module mx.env 
| eval Earliest_Error_Time=strftime(Earliest_Error_Time,"%d/%m/%y %H:%M:%S") 
| eval Latest_Error_Time=strftime(Latest_Error_Time,"%d/%m/%y %H:%M:%S") 
| table Module Services Replicas PIDs Hosts Count_Of_Errors Earliest_Error_Time Latest_Error_Time Severities mx.env

I tried using the line in an another report, and the other report also disapperas in the report filter. Now I feel that this is more of a bug that a code functionality issue.

Please let me know what you feel about this?

 

Regards,

Pravin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin ,

as I said, if you run 

| mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ 
| rename module.names as Module 
| rename host as Hostname 
| rename severity as lvl 
| rename pid as PID 

have you null (or similar) values for the Module field?

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

hi @gcusello ,

 

I get an empty cell for the column Module. 

_pravin_0-1701362044109.png

Regards,

Pravin

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin ,

see in interesting fields: have you empty values or you don't have values?

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

When I run the below search, I get results like these. Not sure if this is empty value or no value.

_pravin_0-1701362890416.png

_pravin_1-1701363282662.png

Regards,

Pravin

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin ,

sorry I wasn't clear; in the events tab, see in the interesting fields if the empty value is present in the Module fields or not.

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

The empty values are present in interesting fields.

_pravin_1-1701365052932.png

 

Regards,

Pravin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin ,

did you tried the inverse condition:

| eval Module=if(Module="*",Module,"UNDEFINED") 

Ciao.

Giuseppe

0 Karma

_pravin
Communicator

Hi @gcusello ,

 

I tried the inverse condition as well, but didn't work.

 

Regards,

Pravin

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...