Splunk Search

Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola
Engager

I am trying to build dashboards for common searches to minimize what operations needs to learn, but I am having an issue. I was able to get the searches working as expected, but the results are not parsing in the dashboard as expected. When viewing this data following a search everything parses as expected, but when using the same search in a Dashboard the data is not parse properly. In the dashboard I only get host, source, sourcetype, index, linecount, and splunk_server. All of these fields are in my search, plus all the fields defined in the transforms.conf.

Sample Data
email@email.com,2014-10-31T03:59:47+00:00,10.0.0.1,read,1363::14::1703::658352::0::0

props.conf
[dyn_bounce_record]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = dyn_bounce

transforms.conf
[dyn_bounce]
FIELDS = "EmailAddress","Bounce_Type","Bounce_Rule","Bounce_Code","Timestamp","X-MailingID"
DELIMS = ","

XML Source from Dashboard

<form>
  <label>Dyn Email Reports</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="dtPicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="ddSourceType" searchWhenChanged="true">
      <label>Source Type</label>
      <choice value="dyn_bounce_record">Bounces</choice>
      <choice value="dyn_sent_record">Sent</choice>
      <choice value="dyn_complaint_record">Complaints</choice>
      <choice value="dyn_open_record">Opens</choice>
      <choice value="dyn_delivered_record">Delivered</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="txtEmail" searchWhenChanged="true">
      <label>Email Address</label>
      <default>*</default>
      <seed>*</seed>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dyn Reporting</title>
      <event>
        <search>
          <query>index=dyn sourcetype=$ddSourceType$ $txtEmail$</query>
          <earliest>$dtPicker.earliest$</earliest>
          <latest>$dtPicker.latest$</latest>
        </search>
        <option name="count">25</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

I am running Splunk Enterprise 6.2 on Windows Server 2008 R2 x64

1 Solution

Raghav2384
Motivator

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

View solution in original post

Raghav2384
Motivator

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

john_l_mottola
Engager

Thanks, this worked just as expected.

0 Karma

nfilippi_splunk
Splunk Employee
Splunk Employee

Can you share your xml?

Also note that dashboards run searches in fast mode by default. So if you want/need specific fields to be parsed and available (in a post process for example), you will need to add the fields command to your base search with the fields you want.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...