Solved: Re: Inline search is not working in a dashboard

edrivera3 · ‎04-24-2015

Hi
I had a similar problem last month. I received a solution but now I encountered the same problem but the solution does not apply to it.
Here is my previous question :
http://answers.splunk.com/answers/231397/why-does-my-search-work-in-the-search-app-but-not-1.html?ut...

My problem is that the field "test_name" is not showing in the table. If I hit "Open in Search" in the dashboard panel, the whole table is showed correctly.
"index=index_1 AND [search index=index_2 | fields field_1,field2] | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4"

Note: All slash are really backslash (I changed them here for the purpose of showing where the backslash are)

NOUMSSI · ‎04-25-2015

Hi try with join commande

index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4

Let me know if you have any issue

View solution in original post

NOUMSSI · ‎04-25-2015

Hi try with join commande

index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4

Let me know if you have any issue

edrivera3 · ‎04-27-2015

Ok. I tried this and I found the following:
1. The results take more time to show up with " | join" than If were using "AND"
2. When the table is starting to populate I saw some events that later are not in the table. I hit the "Open in Search" in the dashboard and I saw the same behavior. I checked my data and that event should be in the table.

I am concerned about this strange splunk behavior. First, why my initial search that runs correctly in the dashboard doesn't find any results if it is divided by search base. Why there are some events that appeared in the table when it is been populated and then they disappear.

edrivera3 · ‎04-27-2015

Maybe the problem is related to this subsearch.
...| eventstats count by field_3 | search count = 1 | table ...

I am trying to show only unique values of field_3. Maybe this is not the proper way.

edrivera3 · ‎04-27-2015

Yes, that was the problem. I changed it to:
...| dedup field_3 | table

NOUMSSI · ‎04-27-2015

Ok .please forgive me to have not follow you. I as very busy.
So dedup commande will remove all the duplicates and then sort the results based on the specified sort-by field.
You can also use dc commande which Remove duplicates results with the same host value and return the total count of the remaining results. Fro example: ... | stats dc(host)

edrivera3 · ‎04-24-2015

Update: I found that the problem occurred only when the inline search is divided by a search base:
< search id="base_1">
index=index_1 AND [search index=index_2 | fields field_1,field_2]< /query>
< /search>

< panel>
< search base="base_1">
< query> rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4 < /query>
< /search>

If the inline search is entirely in the panel, the table is showed correctly. This is weird because I use that search base to power all my other panels without a problem.

Inline search is not working in a dashboard

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!