Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola
Engager
‎10-31-2014 01:50 PM

I am trying to build dashboards for common searches to minimize what operations needs to learn, but I am having an issue. I was able to get the searches working as expected, but the results are not parsing in the dashboard as expected. When viewing this data following a search everything parses as expected, but when using the same search in a Dashboard the data is not parse properly. In the dashboard I only get host, source, sourcetype, index, linecount, and splunk_server. All of these fields are in my search, plus all the fields defined in the transforms.conf.

Sample Data
email@email.com,2014-10-31T03:59:47+00:00,10.0.0.1,read,1363::14::1703::658352::0::0

props.conf
[dyn_bounce_record]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = dyn_bounce

transforms.conf
[dyn_bounce]
FIELDS = "EmailAddress","Bounce_Type","Bounce_Rule","Bounce_Code","Timestamp","X-MailingID"
DELIMS = ","

XML Source from Dashboard

<form>
  <label>Dyn Email Reports</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="dtPicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="ddSourceType" searchWhenChanged="true">
      <label>Source Type</label>
      <choice value="dyn_bounce_record">Bounces</choice>
      <choice value="dyn_sent_record">Sent</choice>
      <choice value="dyn_complaint_record">Complaints</choice>
      <choice value="dyn_open_record">Opens</choice>
      <choice value="dyn_delivered_record">Delivered</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="txtEmail" searchWhenChanged="true">
      <label>Email Address</label>
      <default>*</default>
      <seed>*</seed>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dyn Reporting</title>
      <event>
        <search>
          <query>index=dyn sourcetype=$ddSourceType$ $txtEmail$</query>
          <earliest>$dtPicker.earliest$</earliest>
          <latest>$dtPicker.latest$</latest>
        </search>
        <option name="count">25</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

I am running Splunk Enterprise 6.2 on Windows Server 2008 R2 x64

Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎10-31-2014 10:26 PM

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎10-31-2014 10:26 PM

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

Reply
Solved! Jump to solution

john_l_mottola
Engager
‎11-01-2014 12:52 PM

Thanks, this worked just as expected.

0 Karma
Reply
Solved! Jump to solution

nfilippi_splunk
Splunk Employee
Splunk Employee
‎10-31-2014 02:44 PM

Can you share your xml?

Also note that dashboards run searches in fast mode by default. So if you want/need specific fields to be parsed and available (in a post process for example), you will need to add the fields command to your base search with the fields you want.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...