Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query works fine in search, not on dashboard

troyward
Explorer
‎10-30-2018 07:18 PM

Update: So doing a little more investigation it looks like the line 

|   search Result="Correct"

is what is actually giving me problems on the dashboard coming out of the post processing search. When I just do the 2nd line of the sub-search it works fine.

I have a very simple query that runs correctly in search, but when I try to use it on a dashboard, it doesn't come back with anything. The raw search is:

earliest=0 index=scoreboard_admin user!=admin Number=3 `get_user_info` 
|   search Result="Correct"
| stats dc(user) as "Users Who Completed"

Which returns the correct answer (19)

When I put it in my dashboard (as a post-processing search, I don't come up with anything.

  <search id="base">
    <query>
      earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
    </query>
    <earliest>0</earliest>
    <latest>now</latest>
    <done>
      <set token="tokHTML">$result.data$</set>
    </done>
  </search>

    <panel id="users_correct">
      <table>
        <title>Users with Correct Answer</title>
        <search base="base">
          <query>|  search Result="Correct"
| stats dc(user) as "Users Who Completed"</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>

The original post-processing search only returns about 300 records so not worried about hitting that limit. Also, I have another post-processing search based on the same base search that does work just fine.

When I do an inspection on the dashboard, this is what I get

Duration (seconds) Component Invocations Input count Output count
0.00 command.eval 3 317 317
0.00 command.fields 2 317 317
0.02 command.lookup 3 317 317
0.02 command.search 2 - 317
0.03 command.search.expand_search 2 - -
0.00 command.search.filter 1 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.01 command.search.rawdata 1 - -
0.00 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.search.typer 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.timeliner 3 317 317
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.05 dispatch.evaluate.search 2 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.04 dispatch.fetch.rcp.phase_0 3 - -
0.01 dispatch.finalWriteToDisk 1 - -
0.02 dispatch.localSearch 1 - -
0.00 dispatch.readEventsInResults 1 - -
0.02 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.11 startup.configuration 2 - -
0.30 startup.handoff 2 - -

normalizedSearch litsearch (index=scoreboard_admin user!=admin Number=3 _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
numPreviews None
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user)
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | timeliner remote=0 partial_commits=1 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0
pid 22450
priority 5
provenance UI:Dashboard:question_investigator

remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"

When I do an inspection on the raw Search I get:

Duration (seconds) Component Invocations Input count Output count
0.00 command.addinfo 3 19 19
0.00 command.eval 3 19 19
0.00 command.fields 2 317 317
0.09 command.lookup 3 317 317
0.07 command.search 5 317 336
0.06 command.search.expand_search 2 - -
0.00 command.search.filter 4 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.05 command.search.rawdata 1 - -
0.02 command.search.typer 1 317 317
0.01 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.stats 4 19 1
0.00 command.stats.execute_input 3 19 -
0.00 command.stats.execute_output 1 - 1
0.00 command.timeliner 3 19 19
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.10 dispatch.evaluate.search 4 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.00 dispatch.evaluate.stats 2 - -
0.12 dispatch.fetch.rcp.phase_0 3 - -
0.00 dispatch.finalWriteToDisk 1 - -
0.07 dispatch.localSearch 1 - -
0.07 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.06 startup.configuration 2 - -
0.03 startup.handoff 2 - -

optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user| search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | stats dc(user) as "Users Who Completed"
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | addinfo type=count label=prereport_events track_fieldmeta_events=true | timeliner remote=0 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=* | stats dc(user) as "Users Who Completed"
pid 23844
priority 5
provenance UI:Search
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2018 01:16 AM

Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:

earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
| fields Result user

If you have other panels using other fields, you have to add them to the fields command.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2018 01:16 AM

Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:

earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
| fields Result user

If you have other panels using other fields, you have to add them to the fields command.

Bye.
Giuseppe

Reply
Solved! Jump to solution

troyward
Explorer
‎10-31-2018 06:09 PM

Wow, I don't get it. I've never done that before and never had issues but that did it.

Thanks

0 Karma
Reply
Solved! Jump to solution

iamarkaprabha
Contributor
‎10-30-2018 08:53 PM

Does the macro has permission level to the same app where the dashboard was created?

0 Karma
Reply
Solved! Jump to solution

troyward
Explorer
‎10-31-2018 01:10 AM

Yes, like I said, the base query works fine in one of the other panels on the dashboard. Also when I run it in Search it's in the context of that app.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...