Scratching my head on this one. I'm relatively new to Splunk and the DBConnect app. I have successfully created several saved searches and have been able to chart the results. However, when I try to display the results of a saved search in a simpleresultstable the Splunk Search Job inspector displays the following:
This search has completed and has returned 10 results by scanning 0 events in 0.829 seconds.
It is an instance of the saved search: RemedyDB Oldest Unresolved Tix.
The following messages were returned by the search subsystem:
DEBUG: The 'dbquery' command is implemented as an external script and may cause the search to be significantly slower.
DEBUG: search context: user="admin", app="mcitservicedesk", bs-pathname="D:\Splunk\etc"
I'm using advanced XML as follows:
<module name="HiddenSavedSearch" layoutPanel="panel_row4_col2" group="Oldest Unsolved Tickets" autoRun="True">
<param name="savedSearch">Oldest Unresolved Tix</param>
<module name="SimpleResultsTable">
<param name="drilldown">none</param>
<param name="entityName">events</param>
<param name="allowTransformedFieldSelect">True</param>
</module>
</module>
Saved Search looks like:
| dbquery database "SELECT ID, SUBMITTEDBY, CREATEDATE, RESOLVEDDATE, STAFFASSIGNED, MODIFIEDDATE, STATUS, UNIQNAME, GROUPX, CATEGORY, CLASS, ITEM FROM table name WHERE RESOLVEDDATE IS NULL AND INCIDENTX='TKT' AND ROWNUM < =10 ORDER BY CREATEDATE" limit=10 | eval _time=CREATEDATE | sort+ CREATEDATE
Any help would be greatly appreciated.
I would change the entityName param from events to results, like so:
<param name="entityName">results</param>
When you're running a regular Splunk search that can be a difference between the results (think the rows output by a timechart command) and the underlying events (think the events that were aggregated by that timechart command), and as such there's a distinction between events and results built into the API.
Python search commands however rarely output any events and they usually just output results. This seems to be the case with the dbquery command. How all of this results in that weird message coming back to the SimpleResultsTable is another matter, but a secondary one.
Also, if you're using a current version of Sideview Utils, you can use the Table module instead of SimpleResultsTable and it's a bit easier to use.
I would change the entityName param from events to results, like so:
<param name="entityName">results</param>
When you're running a regular Splunk search that can be a difference between the results (think the rows output by a timechart command) and the underlying events (think the events that were aggregated by that timechart command), and as such there's a distinction between events and results built into the API.
Python search commands however rarely output any events and they usually just output results. This seems to be the case with the dbquery command. How all of this results in that weird message coming back to the SimpleResultsTable is another matter, but a secondary one.
Also, if you're using a current version of Sideview Utils, you can use the Table module instead of SimpleResultsTable and it's a bit easier to use.
Many thanks!