- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query works fine in search, not on dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: So doing a little more investigation it looks like the line
| search Result="Correct"
is what is actually giving me problems on the dashboard coming out of the post processing search. When I just do the 2nd line of the sub-search it works fine.
I have a very simple query that runs correctly in search, but when I try to use it on a dashboard, it doesn't come back with anything. The raw search is:
earliest=0 index=scoreboard_admin user!=admin Number=3 `get_user_info`
| search Result="Correct"
| stats dc(user) as "Users Who Completed"
Which returns the correct answer (19)
When I put it in my dashboard (as a post-processing search, I don't come up with anything.
<search id="base">
<query>
earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info`
</query>
<earliest>0</earliest>
<latest>now</latest>
<done>
<set token="tokHTML">$result.data$</set>
</done>
</search>
<panel id="users_correct">
<table>
<title>Users with Correct Answer</title>
<search base="base">
<query>| search Result="Correct"
| stats dc(user) as "Users Who Completed"</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
The original post-processing search only returns about 300 records so not worried about hitting that limit. Also, I have another post-processing search based on the same base search that does work just fine.
When I do an inspection on the dashboard, this is what I get
Duration (seconds) Component Invocations Input count Output count
0.00 command.eval 3 317 317
0.00 command.fields 2 317 317
0.02 command.lookup 3 317 317
0.02 command.search 2 - 317
0.03 command.search.expand_search 2 - -
0.00 command.search.filter 1 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.01 command.search.rawdata 1 - -
0.00 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.search.typer 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.timeliner 3 317 317
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.05 dispatch.evaluate.search 2 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.04 dispatch.fetch.rcp.phase_0 3 - -
0.01 dispatch.finalWriteToDisk 1 - -
0.02 dispatch.localSearch 1 - -
0.00 dispatch.readEventsInResults 1 - -
0.02 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.11 startup.configuration 2 - -
0.30 startup.handoff 2 - -
normalizedSearch litsearch (index=scoreboard_admin user!=admin Number=3 _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
numPreviews None
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user)
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | timeliner remote=0 partial_commits=1 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0
pid 22450
priority 5
provenance UI:Dashboard:question_investigator
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
When I do an inspection on the raw Search I get:
Duration (seconds) Component Invocations Input count Output count
0.00 command.addinfo 3 19 19
0.00 command.eval 3 19 19
0.00 command.fields 2 317 317
0.09 command.lookup 3 317 317
0.07 command.search 5 317 336
0.06 command.search.expand_search 2 - -
0.00 command.search.filter 4 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.05 command.search.rawdata 1 - -
0.02 command.search.typer 1 317 317
0.01 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.stats 4 19 1
0.00 command.stats.execute_input 3 19 -
0.00 command.stats.execute_output 1 - 1
0.00 command.timeliner 3 19 19
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.10 dispatch.evaluate.search 4 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.00 dispatch.evaluate.stats 2 - -
0.12 dispatch.fetch.rcp.phase_0 3 - -
0.00 dispatch.finalWriteToDisk 1 - -
0.07 dispatch.localSearch 1 - -
0.07 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.06 startup.configuration 2 - -
0.03 startup.handoff 2 - -
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user| search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | stats dc(user) as "Users Who Completed"
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | addinfo type=count label=prereport_events track_fieldmeta_events=true | timeliner remote=0 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=* | stats dc(user) as "Users Who Completed"
pid 23844
priority 5
provenance UI:Search
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:
earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info`
| fields Result user
If you have other panels using other fields, you have to add them to the fields command.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:
earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info`
| fields Result user
If you have other panels using other fields, you have to add them to the fields command.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, I don't get it. I've never done that before and never had issues but that did it.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the macro has permission level to the same app where the dashboard was created?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, like I said, the base query works fine in one of the other panels on the dashboard. Also when I run it in Search it's in the context of that app.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
