Splunk Search

Search works manually but not in dashboard

kmattern
Builder

This search works perfectly in our production environment but not in the new Dev environment. However it does return results when run manually in either environment. Here is both the XML portion and the search.

<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
      <param name="searchWhenChanged">False</param>
             <module name="SubmitButton"  layoutPanel="panel_row1_col1">
                <param name="allowSoftSubmit">True</param>
                <param name="label">Search</param>

  <module name="Search" >
    <param name="search">
[|inputlookup DataCustomer.csv | fields username] 
| search sourcetype="SourceData" Message="*\Data1a\*"  
| lookup DataCustomer.csv username output Customer
| stats sum(filesize) as Data1 by Customer
| eval Data1=floor(Data1/1024/1024)
| append [search sourcetype="SourceData" Message="*\Data2\*"  
| lookup DataCustomer.csv username output Customer
| stats sum(filesize) as Data2 by Customer
| eval Data2=floor(Data2/1024/1024)]  
| append [search sourcetype="SourceData" Message="*\Data3\*"  
| lookup DataCustomer.csv username output Customer
| stats sum(filesize) as Data3 by Customer
| eval Data3=floor(Data3/1024/1024)]  
| append [ search sourcetype="SourceData" Message="*\Data4\*"  
| lookup DataCustomer.csv username output Customer
| stats sum(filesize) as Data4 by Customer
| eval Data4=floor(Data4/1024/1024)]  
| append [search sourcetype="SourceData" Message="*\Data5\*"  
| lookup DataCustomer.csv username output Customer
| stats sum(filesize) as Data5 by Customer
| eval Data5=floor(Data5/1024/1024) ]
| lookup Customerall.csv Customer output CsvName
| stats first(CsvName) as CsvName, first(Data5) as Data5, first(Data2) as Data2, first(Data3) as Data3, first(Data4) as Data4, first(Data1) as Data1 by Customer
| fillnull value="0" Data5, Data2, Data3, Data4, Data1
| table CsvName, Customer, Data5, Data2, Data3, Data4, Data1
| sort Customer | addtotals fieldname="Total (MB)" | addcoltotals
    </param>


                 <module name="JobStatus" layoutPanel="panel_row1_col1_grp1">
                  <param name="hideOnJobDone">true</param>
                  <module name="Export" layoutPanel="panel_row1_col1_grp1">
                    <param name="exportType">results</param>
                  </module>
                  <module name="Paginator" layoutPanel="panel_row1_col1_grp1" group="All Customer Data Received">
                    <param name="count">20</param>
                    <param name="entityName">results</param>
                    <param name="groupLabel">All Customer Data Received</param>

          <module name="Table" layoutPanel="panel_row1_col1_grp1">
            <param name="hiddenFields">CsvName</param>
            <module name="ViewRedirectorLink">
              <param name="viewTarget">flashtimeline</param>
            </module>  
           </module> 
           </module>
          </module>
        </module>  
</module>   
0 Karma

watsm10
Communicator

I'm not sure, but I think you need to add autoRun="True" to your Search module.

So module name="Search" autoRun="True"

0 Karma

nmistry_splunk
Splunk Employee
Splunk Employee

What does the job inspector say? I would compare job inspectors of the search in production vs search in dev instance. Here are docs for using job description.

I would also try to change the multiline search to one line, just to test.

0 Karma

kmattern
Builder

To make matters worse, I also now have a view with a hidden saved search that returns one set of results. But if I run the same search manually it returns a different set of results. This is a relatively new install of Splunk, so I'm beginning to believe there is something wrong with the config.

0 Karma

rturk
Builder

In addition to what Rsennett said, another point that can catch you out occasionally is the time range - If you set the time range to all time do you get results in the dev environment?

But definitely check the permissions of DataCustomer.csv & Customerall.csv, and run the report as a user who should have access (that may not have admin privs) - checking with the search job inspector should help narrow down where the issue lies.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Just to be clear. You're saying:

the View returns results in Production
the View does not return results in Dev
the search runs in production and dev if run just as a search.

Did you, by any chance, make a manual change to something in the GUI? Like, adding one of those lookups? I'd check that you have the permissions set where you need them. The default is "Private"... If you're testing the search as admin, you might not notice until you try to run the dashboard view from the user point of view...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...