Splunk Search

Why aren't my dashboard searches returning all expected field results like searches from the Search Bar?

john_l_mottola
Engager

I am trying to build dashboards for common searches to minimize what operations needs to learn, but I am having an issue. I was able to get the searches working as expected, but the results are not parsing in the dashboard as expected. When viewing this data following a search everything parses as expected, but when using the same search in a Dashboard the data is not parse properly. In the dashboard I only get host, source, sourcetype, index, linecount, and splunk_server. All of these fields are in my search, plus all the fields defined in the transforms.conf.

Sample Data
email@email.com,2014-10-31T03:59:47+00:00,10.0.0.1,read,1363::14::1703::658352::0::0

props.conf
[dyn_bounce_record]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = dyn_bounce

transforms.conf
[dyn_bounce]
FIELDS = "EmailAddress","Bounce_Type","Bounce_Rule","Bounce_Code","Timestamp","X-MailingID"
DELIMS = ","

XML Source from Dashboard

<form>
  <label>Dyn Email Reports</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="dtPicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="ddSourceType" searchWhenChanged="true">
      <label>Source Type</label>
      <choice value="dyn_bounce_record">Bounces</choice>
      <choice value="dyn_sent_record">Sent</choice>
      <choice value="dyn_complaint_record">Complaints</choice>
      <choice value="dyn_open_record">Opens</choice>
      <choice value="dyn_delivered_record">Delivered</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="txtEmail" searchWhenChanged="true">
      <label>Email Address</label>
      <default>*</default>
      <seed>*</seed>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dyn Reporting</title>
      <event>
        <search>
          <query>index=dyn sourcetype=$ddSourceType$ $txtEmail$</query>
          <earliest>$dtPicker.earliest$</earliest>
          <latest>$dtPicker.latest$</latest>
        </search>
        <option name="count">25</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

I am running Splunk Enterprise 6.2 on Windows Server 2008 R2 x64

1 Solution

Raghav2384
Motivator

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

View solution in original post

Raghav2384
Motivator

Just as nfilippi mentioned, if you have restricted fields, only those would be displayed in my Interesting fields

Example: Lets say you have 100 Interesting fields before search.
index = abc sourcetype=xyz|fields source,user,uid,ip,_raw,_time|timechart count by user

Now i am down from 100 to 4 fields.Hope this helps

john_l_mottola
Engager

Thanks, this worked just as expected.

0 Karma

nfilippi_splunk
Splunk Employee
Splunk Employee

Can you share your xml?

Also note that dashboards run searches in fast mode by default. So if you want/need specific fields to be parsed and available (in a post process for example), you will need to add the fields command to your base search with the fields you want.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...