Splunk Search

Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4

psharkey
Explorer

Splunk Enterprise v6.0.4 (build 207768).

Search works inside the Search & Reporting app and a few other apps. By that I mean if your search terms are syntactically correct and there are matching events, they will be returned.

However, in some apps with embedded search capability, nothing is returned when you enter search terms and select the magnifying glass button. If you use the same search terms in the Search & Reporting app, results will get returned.

The account that I am logged in with is in the admin role. Users with the admin role are allowed to search all indexes.

We recently upgraded from Splunk Enterprise 5.0.4. I am not sure if this behavior started when we upgraded or since then.

Examples of apps where Search does function:

  • Search & Reporting v6.0.4
  • Cisco IOS v1.3.2
  • *NIX 4.6 v4.6 (Build 133346)

Examples of apps where Search does not function include:
  • Splunk for Blue Coat v3.0.7 (Build 30007)
  • Cisco Security Suite v3.0.3 (Build 100784)
  • Splunk App for Microsoft Exchange v2.1.1

These apps are compatible with Splunk 6.0. App permission settings look appropriate.

Any ideas?

Tags (3)
1 Solution

alterdego
Path Finder

I had a similar issue after the upgrade to 6.x from 5.x. In my instance it was related to flashtimeline in version 5.x versus search in version 6.x. What I ended up doing was getting a copy of the flashtimeline xml file from a version 5.x search app and adding it to the data/ui/views/ folder of the apps where it wasn't working.

For me it was somewhat similar to the issue described here:
http://answers.splunk.com/answers/104477/splunk-6-flashtimeline-conversion-to-search-assigning-chart...

or the opposite of what is described here:
http://answers.splunk.com/answers/112171/app-has-an-overriding-copy-of-the-flashtimelinexml

View solution in original post

alterdego
Path Finder

I had a similar issue after the upgrade to 6.x from 5.x. In my instance it was related to flashtimeline in version 5.x versus search in version 6.x. What I ended up doing was getting a copy of the flashtimeline xml file from a version 5.x search app and adding it to the data/ui/views/ folder of the apps where it wasn't working.

For me it was somewhat similar to the issue described here:
http://answers.splunk.com/answers/104477/splunk-6-flashtimeline-conversion-to-search-assigning-chart...

or the opposite of what is described here:
http://answers.splunk.com/answers/112171/app-has-an-overriding-copy-of-the-flashtimelinexml

psharkey
Explorer

Thanks alterdego. Your recommendation resolved the problem that I was experiencing.

0 Karma

mikaelbje
Motivator

I experienced the same thing happening with the search view. Linking this with a thread where a fix was found: https://answers.splunk.com/answers/219784/new-app-old-4350-style-search-view.html

The search.xml view was exported globally from an app that was initially created for Splunk 5 and thus overrode the search.xml view exported from the search app. The app causing the trouble was sec_one_dns which takes precedence over the search app's search.xml file because of ASCII order.

The reason the Search view in the Cisco IOS app works (I'm the author, by the way) is that is ships its own search.xml which is just a copy of the search.xml from the search app.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...