Splunk Search
Highlighted

Inline search is not working in a dashboard

Builder

Hi
I had a similar problem last month. I received a solution but now I encountered the same problem but the solution does not apply to it.
Here is my previous question :
http://answers.splunk.com/answers/231397/why-does-my-search-work-in-the-search-app-but-not-1.html?ut...

My problem is that the field "testname" is not showing in the table. If I hit "Open in Search" in the dashboard panel, the whole table is showed correctly.
"index=index
1 AND [search index=index2 | fields field1,field2] | rex "/n(?< testname>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field3>/d+-/d+) | rex "Blahblash(?< field4>[/w/W]{1,200}) | table testname,field3,field4"

Note: All slash are really backslash (I changed them here for the purpose of showing where the backslash are)

Tags (3)
0 Karma
Highlighted

Re: Inline search is not working in a dashboard

Builder

Update: I found that the problem occurred only when the inline search is divided by a search base:
< search id="base1">
index=index
1 AND [search index=index2 | fields field1,field_2]< /query>
< /search>

< panel>
< search base="base1">
< query> rex "/n(?< test
name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field3>/d+-/d+) | rex "Blahblash(?< field4>[/w/W]{1,200}) | table testname,field3,field_4 < /query>
< /search>

If the inline search is entirely in the panel, the table is showed correctly. This is weird because I use that search base to power all my other panels without a problem.

0 Karma
Highlighted

Re: Inline search is not working in a dashboard

Builder

Hi try with join commande

index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4

Let me know if you have any issue

View solution in original post

0 Karma
Highlighted

Re: Inline search is not working in a dashboard

Builder

Ok. I tried this and I found the following:
1. The results take more time to show up with " | join" than If were using "AND"
2. When the table is starting to populate I saw some events that later are not in the table. I hit the "Open in Search" in the dashboard and I saw the same behavior. I checked my data and that event should be in the table.

I am concerned about this strange splunk behavior. First, why my initial search that runs correctly in the dashboard doesn't find any results if it is divided by search base. Why there are some events that appeared in the table when it is been populated and then they disappear.

0 Karma
Highlighted

Re: Inline search is not working in a dashboard

Builder

Maybe the problem is related to this subsearch.
...| eventstats count by field_3 | search count = 1 | table ...

I am trying to show only unique values of field_3. Maybe this is not the proper way.

0 Karma
Highlighted

Re: Inline search is not working in a dashboard

Builder

Yes, that was the problem. I changed it to:
...| dedup field_3 | table

Highlighted

Re: Inline search is not working in a dashboard

Builder

Ok .please forgive me to have not follow you. I as very busy.
So dedup commande will remove all the duplicates and then sort the results based on the specified sort-by field.
You can also use dc commande which Remove duplicates results with the same host value and return the total count of the remaining results. Fro example: ... | stats dc(host)

0 Karma