Hello!
As the title states, my dashboard fails to load a panel that performs a search. If I click "Open in search" I see the expected results.
Any idea why?
If I click "open in search" the following is in the search bar:
host=108827 sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | search | chart count(psirtColdId) over "Description" by my_date usenull=F
<form>
<label>PSIRTS per month by PSIRT description</label>
<search id="parent">
<query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId</query>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="cust">
<label>Customer</label>
<fieldForLabel>cpyName</fieldForLabel>
<fieldForValue>cpyKey</fieldForValue>
<search>
<query>sourcetype=companies managerUserId=name | dedup cpyKey | fields cpyKey, clusterName, cpyName, npUrl, managerUserId</query>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Top customer PSIRT exposure, as of last 24 hours</title>
<table>
<search>
<query>sourcetype=psirt_details matchConfidence="Vulnerable" cpyKey=$cust$ | top "Description" psirtColdId</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Number of devices impacted by selected PSIRT ID</title>
<search base="parent">
<query>search | chart count(psirtColdId) over "Description" by my_date usenull=F</query>
</search>
<option name="refresh.display">preview</option>
</table>
</panel>
</row>
</form>
Change your base search element like this
<search id="parent">
<query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | fields my_date psirtColdId deviceId </query>
</search>
Change your base search element like this
<search id="parent">
<query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | fields my_date psirtColdId deviceId </query>
</search>
This doesn't look to have made a change, unfortunately. I used the same panel search as original posting plus what the other poster has suggested -- removing the search |
from the panel search field.
So your panel search element should be this
<search base="parent">
<query> chart count(psirtColdId) over "Description" by my_date usenull=F</query>
</search>
If this doesn't work, change | fields ..
with | table ..
in the base search.
That is my current panel search and changing | fields to | table did not change the result, unfortunately.
Can you test this?
<form>
<label>PSIRTS per month by PSIRT description</label>
<search id="parent">
<query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | table my_date psirtColdId deviceId</query>
<earliest>0</earliest>
<latest>now</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="cust">
<label>Customer</label>
<fieldForLabel>cpyName</fieldForLabel>
<fieldForValue>cpyKey</fieldForValue>
<search>
<query>sourcetype=companies managerUserId=name | dedup cpyKey | fields cpyKey, clusterName, cpyName, npUrl, managerUserId</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Number of devices impacted by selected PSIRT ID</title>
<search base="parent">
<query>chart count(psirtColdId) over "Description" by my_date usenull=F</query>
</search>
<option name="refresh.display">preview</option>
</table>
</panel>
</row>
</form>
No change. One thing I noticed is that if I do a manual search WITH table my_date psirtColdId deviceId</query>
in my parent search...it doesn't work.
To clarify, the manual search looks like this:
host=108827 sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | chart count(psirtColdId) over "Description" by my_date usenull=F
Works like a champ
My bad. Change the base search to this (missed field Description before)
host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | table my_date psirtColdId deviceId Description
Bingo! That did it! Thanks man!
And if instead of using a base search, you use the full search in that panel, does it populate in the dashboard ?
It does!
is the panel you're having problems with the panel using the base search (Number of devices impacted by selected PSIRT ID)? in the query, there is search |
and i suspect that has something to do with it, since it isn't actually searching for anything.
That is the panel that is having problems, yes.
try removing the |search
at the beginning of the query in that panel and see if it works for how you need it. if you are searching for something specific, add it into that command instead, for instance |search my_date=*
Excluding " | search" did not make a difference, unfortunately. I have a parent search that uses a dropdown to populate the information that will be used in the panels, dependent on what is selected. If I create a static search that uses the values that would otherwise be passed via the dropdown....it loads just fine. I'm pretty confident its not an issue with my token, as if I do a "open in search" it uses the variable passed by the dropdown.
Only, it doesn't load in the dashboard for some reason..
i just noticed it's search|
, not |search
in that panel, but i assume that you understood what i mean.
it likely isn't a problem with your token if your other panel is populating, since that panel uses it as well. you can add script="showtokens.js"
into the form node at the top of your XML to see what populates for the token values, it's great for debugging tokens.