Hi
I had a similar problem last month. I received a solution but now I encountered the same problem but the solution does not apply to it.
Here is my previous question :
http://answers.splunk.com/answers/231397/why-does-my-search-work-in-the-search-app-but-not-1.html?ut...
My problem is that the field "test_name" is not showing in the table. If I hit "Open in Search" in the dashboard panel, the whole table is showed correctly.
"index=index_1 AND [search index=index_2 | fields field_1,field2] | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4"
Note: All slash are really backslash (I changed them here for the purpose of showing where the backslash are)
Hi try with join commande
index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4
Let me know if you have any issue
Hi try with join commande
index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4
Let me know if you have any issue
Ok. I tried this and I found the following:
1. The results take more time to show up with " | join" than If were using "AND"
2. When the table is starting to populate I saw some events that later are not in the table. I hit the "Open in Search" in the dashboard and I saw the same behavior. I checked my data and that event should be in the table.
I am concerned about this strange splunk behavior. First, why my initial search that runs correctly in the dashboard doesn't find any results if it is divided by search base. Why there are some events that appeared in the table when it is been populated and then they disappear.
Maybe the problem is related to this subsearch.
...| eventstats count by field_3 | search count = 1 | table ...
I am trying to show only unique values of field_3. Maybe this is not the proper way.
Yes, that was the problem. I changed it to:
...| dedup field_3 | table
Ok .please forgive me to have not follow you. I as very busy.
So dedup commande will remove all the duplicates and then sort the results based on the specified sort-by field.
You can also use dc commande which Remove duplicates results with the same host value and return the total count of the remaining results. Fro example: ... | stats dc(host)
Update: I found that the problem occurred only when the inline search is divided by a search base:
< search id="base_1">
< /search>
< panel>
< search base="base_1">
< query> rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | table test_name,field_3,field_4 < /query>
< /search>
If the inline search is entirely in the panel, the table is showed correctly. This is weird because I use that search base to power all my other panels without a problem.