Splunk Search

Why does my search work in the Search and Reporting app, but not in the traffic light example XML dashboard?

david_poulin
New Member

Hi,

we are trying to construct a search to provide server health information base upon the traffic light example to show green light if all is okay...and so on.

Our search tells us a number of files to synchronize with other server and with the rangemap option we should be able to display a right picture.

Here is our search:

index="vaultlogs" earliest="-7d" | spath Message  | search Message=BacklogsPerServer "Properties.BL.ReceivingMemberServerOnly"="brasov-ad2"  | spath "Properties.BL.Backlog" output=backlogs  | stats first(backlogs) as value| rangemap field=value low=0-2000 elevated=2001-5000 severe=5001-500000 default=low

If we use it in the search, that tell us that we have a value of 6 and the range is low, but when i transfer the search into the traffic light example XML dashboard....i have a "N\A" text display instead of the corresponding traffic light image.
Here is the first xml part :

<dashboard stylesheet="trafficlight.css">
  <label>Traffic Light Examples</label>
  <description>Build traffic light visualisations into your app using this guide.</description>
    <row>
        <single>
            <title>None</title>
            <searchString>index="vaultlogs" earliest="-7d" | spath Message  | search Message=BacklogsPerServer "Properties.BL.ReceivingMemberServerOnly"="brasov-ad2"  | spath "Properties.BL.Backlog" output=backlogs  | stats first(backlogs) as value| rangemap field=value low=0-2000 elevated=2001-5000 severe=5001-500000 default=low</searchString>
            <earliestTime>-7d</earliestTime>
            <latestTime>now</latestTime>
            <option name="classField">range</option>
            <option name="field">value</option>
        </single>
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

First thing I'd look at is to run the search from within the app to be sure there isn't some odd permissions situation.
Easiest way to do that is to go to Settings>User Interface>navigation menus>default.
add the following to the menus for the Traffic Light App(and correct some wierdness):

<nav search_view="search" color="#FDC95A">
  <view name="traffic_light_examples" default='true' />
  <view name="search" />
  <view name="dashboards" />
</nav>

Now you'll have a link to the search view and dashboards and just make your life easier.
Run your search in the search view within the traffic light app.
That'll tell you whether your environment has some kind of unknown restrictions on your data access. (I can't think of why, but getting data from within the app is a good first step)

I would also add a panel to your test dashboard that just shows the statistics, that way you will see if you are getting data in that context and that will help you pinpoint where to troubleshoot. I don't see anything wrong with the search or your code.

So the only thing left is data retrieval and permissions. If it was the other way around, (not working in search app) then we'd know that because the Traffic App has APP permissions that you don't have access from the search app... the other way around is going to point to custom permissions or some nuance that isn't obvious unless you can poke around.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma