Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola
Engager
‎10-31-2014 01:50 PM

I am trying to build dashboards for common searches to minimize what operations needs to learn, but I am having an issue. I was able to get the searches working as expected, but the results are not parsing in the dashboard as expected. When viewing this data following a search everything parses as expected, but when using the same search in a Dashboard the data is not parse properly. In the dashboard I only get host, source, sourcetype, index, linecount, and splunk_server. All of these fields are in my search, plus all the fields defined in the transforms.conf.

Sample Data
email@email.com,2014-10-31T03:59:47+00:00,10.0.0.1,read,1363::14::1703::658352::0::0

props.conf
[dyn_bounce_record]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = dyn_bounce

transforms.conf
[dyn_bounce]
FIELDS = "EmailAddress","Bounce_Type","Bounce_Rule","Bounce_Code","Timestamp","X-MailingID"
DELIMS = ","

XML Source from Dashboard

<form>
  <label>Dyn Email Reports</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="dtPicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="ddSourceType" searchWhenChanged="true">
      <label>Source Type</label>
      <choice value="dyn_bounce_record">Bounces</choice>
      <choice value="dyn_sent_record">Sent</choice>
      <choice value="dyn_complaint_record">Complaints</choice>
      <choice value="dyn_open_record">Opens</choice>
      <choice value="dyn_delivered_record">Delivered</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="txtEmail" searchWhenChanged="true">
      <label>Email Address</label>
      <default>*</default>
      <seed>*</seed>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dyn Reporting</title>
      <event>
        <search>
          <query>index=dyn sourcetype=$ddSourceType$ $txtEmail$</query>
          <earliest>$dtPicker.earliest$</earliest>
          <latest>$dtPicker.latest$</latest>
        </search>
        <option name="count">25</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

I am running Splunk Enterprise 6.2 on Windows Server 2008 R2 x64

Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎10-31-2014 10:26 PM

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎10-31-2014 10:26 PM

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

Reply
Solved! Jump to solution

john_l_mottola
Engager
‎11-01-2014 12:52 PM

Thanks, this worked just as expected.

0 Karma
Reply
Solved! Jump to solution

nfilippi_splunk
Splunk Employee
Splunk Employee
‎10-31-2014 02:44 PM

Can you share your xml?

Also note that dashboards run searches in fast mode by default. So if you want/need specific fields to be parsed and available (in a post process for example), you will need to add the fields command to your base search with the fields you want.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...