Splunk Search

Query works fine in search, not on dashboard

troyward
Explorer

Update: So doing a little more investigation it looks like the line

|   search Result="Correct"

is what is actually giving me problems on the dashboard coming out of the post processing search. When I just do the 2nd line of the sub-search it works fine.

I have a very simple query that runs correctly in search, but when I try to use it on a dashboard, it doesn't come back with anything. The raw search is:

earliest=0 index=scoreboard_admin user!=admin Number=3 `get_user_info` 
|   search Result="Correct"
| stats dc(user) as "Users Who Completed"

Which returns the correct answer (19)

When I put it in my dashboard (as a post-processing search, I don't come up with anything.

  <search id="base">
    <query>
      earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
    </query>
    <earliest>0</earliest>
    <latest>now</latest>
    <done>
      <set token="tokHTML">$result.data$</set>
    </done>
  </search>

    <panel id="users_correct">
      <table>
        <title>Users with Correct Answer</title>
        <search base="base">
          <query>|  search Result="Correct"
| stats dc(user) as "Users Who Completed"</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>

The original post-processing search only returns about 300 records so not worried about hitting that limit. Also, I have another post-processing search based on the same base search that does work just fine.

When I do an inspection on the dashboard, this is what I get

Duration (seconds) Component Invocations Input count Output count
0.00 command.eval 3 317 317
0.00 command.fields 2 317 317
0.02 command.lookup 3 317 317
0.02 command.search 2 - 317
0.03 command.search.expand_search 2 - -
0.00 command.search.filter 1 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.01 command.search.rawdata 1 - -
0.00 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.search.typer 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.timeliner 3 317 317
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.05 dispatch.evaluate.search 2 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.04 dispatch.fetch.rcp.phase_0 3 - -
0.01 dispatch.finalWriteToDisk 1 - -
0.02 dispatch.localSearch 1 - -
0.00 dispatch.readEventsInResults 1 - -
0.02 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.11 startup.configuration 2 - -
0.30 startup.handoff 2 - -

normalizedSearch litsearch (index=scoreboard_admin user!=admin Number=3 _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
numPreviews None
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user)
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | timeliner remote=0 partial_commits=1 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0
pid 22450
priority 5
provenance UI:Dashboard:question_investigator

remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"

When I do an inspection on the raw Search I get:

Duration (seconds) Component Invocations Input count Output count
0.00 command.addinfo 3 19 19
0.00 command.eval 3 19 19
0.00 command.fields 2 317 317
0.09 command.lookup 3 317 317
0.07 command.search 5 317 336
0.06 command.search.expand_search 2 - -
0.00 command.search.filter 4 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.05 command.search.rawdata 1 - -
0.02 command.search.typer 1 317 317
0.01 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.stats 4 19 1
0.00 command.stats.execute_input 3 19 -
0.00 command.stats.execute_output 1 - 1
0.00 command.timeliner 3 19 19
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.10 dispatch.evaluate.search 4 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.00 dispatch.evaluate.stats 2 - -
0.12 dispatch.fetch.rcp.phase_0 3 - -
0.00 dispatch.finalWriteToDisk 1 - -
0.07 dispatch.localSearch 1 - -
0.07 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.06 startup.configuration 2 - -
0.03 startup.handoff 2 - -

optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user| search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | stats dc(user) as "Users Who Completed"
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | addinfo type=count label=prereport_events track_fieldmeta_events=true | timeliner remote=0 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=* | stats dc(user) as "Users Who Completed"
pid 23844
priority 5
provenance UI:Search
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"

0 Karma
1 Solution

gcusello
Legend

Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:

earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
| fields Result user

If you have other panels using other fields, you have to add them to the fields command.

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi troyward,
using post process search, you have to declare the fields to use in the panels using the fields command.
So your base search must be:

earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info` 
| fields Result user

If you have other panels using other fields, you have to add them to the fields command.

Bye.
Giuseppe

View solution in original post

0 Karma

troyward
Explorer

Wow, I don't get it. I've never done that before and never had issues but that did it.

Thanks

0 Karma

iamarkaprabha
Contributor

Does the macro has permission level to the same app where the dashboard was created?

0 Karma

troyward
Explorer

Yes, like I said, the base query works fine in one of the other panels on the dashboard. Also when I run it in Search it's in the context of that app.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!