Solved: Rename works in search but not in Dashboard Studio

MirrorCraze · ‎12-07-2023

I have a data like this.

{
...
   name: AppName
   metrics: {
data: [
       {
         details: { ...
         }
         name: dataName1
         status: UP
       }
       {

details: { ...
         }
         name: dataName2
         status: UP

}
       { ...
       }
     ]
     indicators: [...]
     status: DOWN
   }
   logs: { ...
   }
   ping: 1

}

I tried to extract data each name and status inside the data out, so I called

spath output=metrics path=metrics 
|rename metrics.data{}.name as name, metrics.data{}.status as status
| table _time, name, status

This gives proper table

_time	name	status
2023-12-07 15:36:28	dataName1 dataName2 dataName3	UP DOWN UP
2023-12-07 15:35:29	dataName1 dataName2 dataName3	DOWN DOWN UP
2023-12-07 15:34:30	dataName1 dataName2 dataName3	DOWN UP DOWN

However, after putting this search into the dashboard studio search query, it simply returned "No Search Result Returned". Is there something wrong with rename?

Thank you!

MirrorCraze · ‎12-13-2023

Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

View solution in original post

yuanliu · ‎12-08-2023

Did you enter the search in Studio's visual editor or did you insert them directly into source? Is there some mistyping/miscopying?

There is nothing wrong with rename. You can try out this test dashboard

{
	"dataSources": {
		"ds_FAnSoMB1": {
			"type": "ds.search",
			"options": {
				"query": "| makeresults\n| eval _raw = \"{\\\"data\\\":[{\\\"name\\\":\\\"B\\\"},{\\\"name\\\":\\\"D\\\"},{\\\"name\\\":\\\"b\\\"},{\\\"name\\\":\\\"d\\\"}]}\"\n| spath\n| fields - _*\n| rename data{}.name as name",
				"queryParameters": {
					"earliest": "-24h@h",
					"latest": "now"
				}
			},
			"name": "Table search"
		}
	},
	"visualizations": {
		"viz_qVGDM9DA": {
			"type": "splunk.table",
			"options": {
				"count": 100,
				"dataOverlayMode": "none",
				"drilldown": "none",
				"showRowNumbers": false,
				"showInternalFields": false
			},
			"dataSources": {
				"primary": "ds_FAnSoMB1"
			}
		}
	},
	"inputs": {
		"input_global_trp": {
			"type": "input.timerange",
			"options": {
				"token": "global_time",
				"defaultValue": "-24h@h,now"
			},
			"title": "Global Time Range"
		}
	},
	"layout": {
		"type": "grid",
		"options": {
			"width": 1440,
			"height": 960
		},
		"structure": [
			{
				"item": "viz_qVGDM9DA",
				"type": "block",
				"position": {
					"x": 0,
					"y": 0,
					"w": 1440,
					"h": 250
				}
			}
		],
		"globalInputs": [
			"input_global_trp"
		]
	},
	"title": "DS dashboard and rename command",
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},
	"description": "https://community.splunk.com/t5/Splunk-Search/Rename-works-in-search-but-not-in-Dashboard-Studio/m-p/671192#M230030"
}

The search used is simply

| makeresults
| eval _raw = "{\"data\":[{\"name\":\"B\"},{\"name\":\"D\"},{\"name\":\"b\"},{\"name\":\"d\"}]}"
| spath
| fields - _*
| rename data{}.name as name

The dashboard gives the exact same output.

MirrorCraze · ‎12-08-2023

Hmmm yeah. Your example is actually working.

I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Search" on Splunk Dashboard Studio, it does work. However somehow it does not work on the dashboard itself.

Any possible pointers on this?

MirrorCraze · ‎12-13-2023

Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

yuanliu · ‎12-13-2023

Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

Actually splunkernator and I uncovered the root cause a few days ago in Do you lose any information between Chain Searches in Dashboards? It's intricate, but everyone using Dashboard Studio should be aware until DS releases a fix.

You didn't illustrate under which conditions your original code failed. But based on splunkernator and my findings, I speculate that you had | spath output=metrics path=metrics in main search, but |rename metrics.data{}.name as name, metrics.data{}.status as status in chain search. Is this correct?

Then, your workaround is to add | fields metrics.data{}.name metrics.data{}.status into main search. If you add this to subsearch, nothing will change. You would still have a broken panel.

Meanwhile, are you sure you want a multivalue field name?

MirrorCraze · ‎12-18-2023

Actually, yes! I do have to add the fields pipe on the base search. I tried to add it on the chain also, but it does not work.

And also, yes, I do have rename in the chain search while the spath in the main search.

Interesting read on the forum you shared indeed. I'll be careful for now on parsing data between search.

Ps. for name, in the end I have to mvzip name and status, mvjoin, find latest one then use rex to extract values out. It's complicated and time costly, but it works for now so I think I'm going to just let it be for now.

Rename works in search but not in Dashboard Studio

table

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)