Splunk Search

Why does the search on my dashboard show "No result found" and fails to load the panel, but opening in search is successful?

kylbarne
New Member

Hello!

As the title states, my dashboard fails to load a panel that performs a search. If I click "Open in search" I see the expected results.

Any idea why?

If I click "open in search" the following is in the search bar:

host=108827 sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | search | chart  count(psirtColdId) over "Description" by my_date usenull=F


<form>
  <label>PSIRTS per month by PSIRT description</label>
  <search id="parent">
    <query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId</query>
  </search>
  <fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="cust">
      <label>Customer</label>
      <fieldForLabel>cpyName</fieldForLabel>
      <fieldForValue>cpyKey</fieldForValue>
      <search>
        <query>sourcetype=companies managerUserId=name | dedup cpyKey | fields cpyKey, clusterName, cpyName, npUrl, managerUserId</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Top customer PSIRT exposure, as of last 24 hours</title>
      <table>
        <search>
          <query>sourcetype=psirt_details matchConfidence="Vulnerable"  cpyKey=$cust$ | top "Description" psirtColdId</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Number of devices impacted by selected PSIRT ID</title>
        <search base="parent">
          <query>search | chart  count(psirtColdId) over "Description" by my_date usenull=F</query>
        </search>
        <option name="refresh.display">preview</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Change your base search element like this

<search id="parent">
     <query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | fields my_date psirtColdId deviceId  </query>
   </search>

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Change your base search element like this

<search id="parent">
     <query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | fields my_date psirtColdId deviceId  </query>
   </search>

kylbarne
New Member

This doesn't look to have made a change, unfortunately. I used the same panel search as original posting plus what the other poster has suggested -- removing the search | from the panel search field.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So your panel search element should be this

<search base="parent">
           <query> chart  count(psirtColdId) over "Description" by my_date usenull=F</query>
         </search>

If this doesn't work, change | fields .. with | table .. in the base search.

0 Karma

kylbarne
New Member

That is my current panel search and changing | fields to | table did not change the result, unfortunately.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you test this?

<form>
   <label>PSIRTS per month by PSIRT description</label>
   <search id="parent">
     <query>host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | table my_date psirtColdId deviceId</query>
    <earliest>0</earliest>
    <latest>now</latest>
   </search>
   <fieldset submitButton="true" autoRun="true">
     <input type="dropdown" token="cust">
       <label>Customer</label>
       <fieldForLabel>cpyName</fieldForLabel>
       <fieldForValue>cpyKey</fieldForValue>
       <search>
         <query>sourcetype=companies managerUserId=name | dedup cpyKey | fields cpyKey, clusterName, cpyName, npUrl, managerUserId</query>
       </search>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <title>Number of devices impacted by selected PSIRT ID</title>
         <search base="parent">
           <query>chart  count(psirtColdId) over "Description" by my_date usenull=F</query>
         </search>
         <option name="refresh.display">preview</option>
       </table>
     </panel>
   </row>
 </form>
0 Karma

kylbarne
New Member

No change. One thing I noticed is that if I do a manual search WITH table my_date psirtColdId deviceId</query> in my parent search...it doesn't work.

0 Karma

kylbarne
New Member

To clarify, the manual search looks like this:

host=108827 sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | chart  count(psirtColdId) over "Description" by my_date usenull=F

Works like a champ

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My bad. Change the base search to this (missed field Description before)

host=$cust$ sourcetype=psirt_details matchConfidence="Vulnerable" | eval my_date=strftime(_time,"%B") | dedup my_date psirtColdId deviceId | table my_date psirtColdId deviceId Description
0 Karma

kylbarne
New Member

Bingo! That did it! Thanks man!

0 Karma

cmerriman
Super Champion

And if instead of using a base search, you use the full search in that panel, does it populate in the dashboard ?

0 Karma

kylbarne
New Member

It does!

0 Karma

cmerriman
Super Champion

is the panel you're having problems with the panel using the base search (Number of devices impacted by selected PSIRT ID)? in the query, there is search | and i suspect that has something to do with it, since it isn't actually searching for anything.

0 Karma

kylbarne
New Member

That is the panel that is having problems, yes.

0 Karma

cmerriman
Super Champion

try removing the |search at the beginning of the query in that panel and see if it works for how you need it. if you are searching for something specific, add it into that command instead, for instance |search my_date=*

0 Karma

kylbarne
New Member

Excluding " | search" did not make a difference, unfortunately. I have a parent search that uses a dropdown to populate the information that will be used in the panels, dependent on what is selected. If I create a static search that uses the values that would otherwise be passed via the dropdown....it loads just fine. I'm pretty confident its not an issue with my token, as if I do a "open in search" it uses the variable passed by the dropdown.

Only, it doesn't load in the dashboard for some reason..

0 Karma

cmerriman
Super Champion

i just noticed it's search|, not |search in that panel, but i assume that you understood what i mean.
it likely isn't a problem with your token if your other panel is populating, since that panel uses it as well. you can add script="showtokens.js" into the form node at the top of your XML to see what populates for the token values, it's great for debugging tokens.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...