Splunk Search

Rename works in search but not in Dashboard Studio

MirrorCraze
Explorer

I have a data like this.

{  
   ...
   name: AppName
   metrics: {
     data: [
       { 
         details: { ...
         }

         namedataName1
         statusUP
       }
       { 

         details: { ...
         }

         namedataName2
         statusUP
       

       }
       { ...
       }
     ]

     indicators: [...]
     statusDOWN

   }

   logs: { ...
   }

   ping: 1

}

I tried to extract data each name and status inside the data out, so I called

spath output=metrics path=metrics 
|rename metrics.data{}.name as name, metrics.data{}.status as status
| table _time, name, status



This gives proper table

_timenamestatus
2023-12-07 15:36:28

dataName1

dataName2

dataName3

UP

DOWN

UP

2023-12-07 15:35:29

dataName1

dataName2

dataName3

DOWN

DOWN

UP

2023-12-07 15:34:30

dataName1

dataName2

dataName3

DOWN

UP

DOWN

 

However, after putting this search into the dashboard studio search query, it simply returned "No Search Result Returned". Is there something wrong with rename?

 

Thank you!

Labels (1)
0 Karma
1 Solution

MirrorCraze
Explorer

Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Did you enter the search in Studio's visual editor or did you insert them directly into source?  Is there some mistyping/miscopying?

There is nothing wrong with rename.  You can try out this test dashboard

{
	"dataSources": {
		"ds_FAnSoMB1": {
			"type": "ds.search",
			"options": {
				"query": "| makeresults\n| eval _raw = \"{\\\"data\\\":[{\\\"name\\\":\\\"B\\\"},{\\\"name\\\":\\\"D\\\"},{\\\"name\\\":\\\"b\\\"},{\\\"name\\\":\\\"d\\\"}]}\"\n| spath\n| fields - _*\n| rename data{}.name as name",
				"queryParameters": {
					"earliest": "-24h@h",
					"latest": "now"
				}
			},
			"name": "Table search"
		}
	},
	"visualizations": {
		"viz_qVGDM9DA": {
			"type": "splunk.table",
			"options": {
				"count": 100,
				"dataOverlayMode": "none",
				"drilldown": "none",
				"showRowNumbers": false,
				"showInternalFields": false
			},
			"dataSources": {
				"primary": "ds_FAnSoMB1"
			}
		}
	},
	"inputs": {
		"input_global_trp": {
			"type": "input.timerange",
			"options": {
				"token": "global_time",
				"defaultValue": "-24h@h,now"
			},
			"title": "Global Time Range"
		}
	},
	"layout": {
		"type": "grid",
		"options": {
			"width": 1440,
			"height": 960
		},
		"structure": [
			{
				"item": "viz_qVGDM9DA",
				"type": "block",
				"position": {
					"x": 0,
					"y": 0,
					"w": 1440,
					"h": 250
				}
			}
		],
		"globalInputs": [
			"input_global_trp"
		]
	},
	"title": "DS dashboard and rename command",
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},
	"description": "https://community.splunk.com/t5/Splunk-Search/Rename-works-in-search-but-not-in-Dashboard-Studio/m-p/671192#M230030"
}

The search used is simply

| makeresults
| eval _raw = "{\"data\":[{\"name\":\"B\"},{\"name\":\"D\"},{\"name\":\"b\"},{\"name\":\"d\"}]}"
| spath
| fields - _*
| rename data{}.name as name

The dashboard gives the exact same output.

0 Karma

MirrorCraze
Explorer

Hmmm yeah. Your example is actually working. 

I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Search" on Splunk Dashboard Studio, it does work. However somehow it does not work on the dashboard itself.

Any possible pointers on this?

0 Karma

MirrorCraze
Explorer

Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

0 Karma

yuanliu
SplunkTrust
SplunkTrust
Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.

Actually splunkernator and I uncovered the root cause a few days ago in Do you lose any information between Chain Searches in Dashboards? It's intricate, but everyone using Dashboard Studio should be aware until DS releases a fix.

You didn't illustrate under which conditions your original code failed.  But based on splunkernator and my findings, I speculate that you had | spath output=metrics path=metrics in main search, but |rename metrics.data{}.name as name, metrics.data{}.status as status in chain search.  Is this correct?

Then, your workaround is to add fields metrics.data{}.name metrics.data{}.status into main search.  If you add this to subsearch, nothing will change.  You would still have a broken panel.

Meanwhile, are you sure you want a multivalue field name?

0 Karma

MirrorCraze
Explorer

Actually, yes! I do have to add the fields pipe on the base search. I tried to add it on the chain also, but it does not work.

And also, yes, I do have rename in the chain search while the spath in the main search. 

Interesting read on the forum you shared indeed. I'll be careful for now on parsing data between search.

Ps. for name, in the end I have to mvzip name and status, mvjoin, find latest one then use rex to extract values out. It's complicated and time costly, but it works for now so I think I'm going to just let it be for now.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...