Splunk Search

Why is my post process search not displaying all columns in tables?

Communicator

Hi,

I have created a dashboard with 4 panels.
I have post process and below is the xml, but some how all columns are not displaying:

<query>index=index "$searchterm$" org_n="$droporg$" spa_n="$dropsp$" mes_ty="$droptype$" app_n="$dropapp$" source_type="$dropsource$" |rename app_n as "ApplicationName" org_n as "OrganizationName" spa_n as Environment mes_ty as "MessageType" msg as "Log Details" time as Time source_type as "SourceType" ori as Ori</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>


<panel>
  <table>
    <title>LOG Details</title>
    <search base="baseSearch">
      <query>|table Time, Ori, "OrganizationName", "ApplicationName", Environment, "SourceType", "MessageType", "Log Details"</query>
    </search>
    <option name="wrap">false</option>
    <option name="rowNumbers">false</option>
    <option name="drilldown">cell</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
1 Solution

Super Champion

the top of your syntax cut off. make sure it all looks like this:

 <search id="baseSearch">
     <query>index=index "$searchterm$" org_n="$droporg$" spa_n="$dropsp$" mes_ty="$droptype$" app_n="$dropapp$" source_type="$dropsource$" |rename app_n as "ApplicationName" org_n as "OrganizationName" spa_n as Environment mes_ty as "MessageType" msg as "Log Details" time as Time source_type as "SourceType" ori as Ori</query>
     <earliest>$time.earliest$</earliest>
     <latest>$time.latest$</latest>
      </search>

     <panel>
       <table>
         <title>LOG Details</title>
         <search base="baseSearch">
           <query>|table Time, Ori, "OrganizationName", "ApplicationName", Environment, "SourceType", "MessageType", "Log Details"</query>
         </search>
         <option name="wrap">false</option>
         <option name="rowNumbers">false</option>
         <option name="drilldown">cell</option>
         <option name="dataOverlayMode">none</option>
         <option name="count">10</option>
       </table>
     </panel>

View solution in original post

0 Karma

Super Champion

the top of your syntax cut off. make sure it all looks like this:

 <search id="baseSearch">
     <query>index=index "$searchterm$" org_n="$droporg$" spa_n="$dropsp$" mes_ty="$droptype$" app_n="$dropapp$" source_type="$dropsource$" |rename app_n as "ApplicationName" org_n as "OrganizationName" spa_n as Environment mes_ty as "MessageType" msg as "Log Details" time as Time source_type as "SourceType" ori as Ori</query>
     <earliest>$time.earliest$</earliest>
     <latest>$time.latest$</latest>
      </search>

     <panel>
       <table>
         <title>LOG Details</title>
         <search base="baseSearch">
           <query>|table Time, Ori, "OrganizationName", "ApplicationName", Environment, "SourceType", "MessageType", "Log Details"</query>
         </search>
         <option name="wrap">false</option>
         <option name="rowNumbers">false</option>
         <option name="drilldown">cell</option>
         <option name="dataOverlayMode">none</option>
         <option name="count">10</option>
       </table>
     </panel>

View solution in original post

0 Karma

Communicator

yes it is there but not some how it was deleted while posting the question.

when i run the same query in search head separately its working but when i use the post porocess it showing all columns except Time and "Log Details" in tables

0 Karma

SplunkTrust
SplunkTrust

it's a bug I already reported to Splunk Support.
I found a workaround: insert in base search | eval field1=field1, field2=field2.
In this way it runs.
Bye.
Giuseppe

0 Karma

Super Champion

when you have the post process, and you click 'open in search' does it return everything? does the base search come through with all the tokens passed correctly?

0 Karma

Communicator

Yes its returning everything when i 'open in search'

base search is coming with all tokens which i passed.

i try ti display only 2 columns which are not showing before
|table Time "Log Details"

when i open this in dashbaord,it shows blank but if i open it in 'open in search' it displaying Columns properly

0 Karma

Super Champion

have you tried it without renaming anything? Or trying to put the rename before |table instead of in the base search? I doubt the rename is the problem, just trying to debug.

0 Karma

Communicator

YES i just tried,without renaming and tried to put rename before |table

but still getting the same results.

0 Karma

Communicator

did i miss any here.same kind of concept is working another dashboard with different visualizations.

0 Karma

Super Champion

this is about the best i can think of. moving the base search up top and making sure you have ... enclosed around the query.

<form>
   <search id="baseSearch">
 <query>index=index "$searchterm$" cf_org_name="$droporg$" cf_space_name="$dropspace$" message_type="$droptype$" cf_app_name="$dropapp$" source_type="$dropsource$" origin="$droporigin$"</query>
 <earliest>$time.earliest$</earliest>
 <latest>$time.latest$</latest>
  </search>
<query>index=index |rename message_type as MessageType |dedup MessageType|sort +MessageType| table MessageType</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <query>index=index | rename cf_org_name as OrganizationName|dedup OrganizationName | sort +OrganizationName |table OrganizationName</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <query>index=index |rename cf_space_name as Environment |dedup Environment |sort +Environment | table Environment</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <query>index=index  |rename cf_app_name as ApplicationName |dedup ApplicationName | sort +ApplicationName | table ApplicationName</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <query>index=index  | rename origin as Origin |dedup Origin|sort +Origin| table Origin</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <query>index=index  | rename source_type as SourceType|dedup SourceType|sort +SourceType| table SourceType</query>
 <earliest>-60min</earliest>
 <latest>now</latest>


 <input type="time" token="time" searchWhenChanged="true">
   <label>Select Time</label>
   <default>
     <earliest>-5m</earliest>
     <latest>now</latest>
   </default>
 </input>
 <input type="dropdown" token="droptype" searchWhenChanged="true">
   <label>Select Message Type</label>
   <choice value="*">All</choice>
   <search base="searchMsgType">
     <query></query>
   </search>
   <fieldForLabel>MessageType</fieldForLabel>
   <fieldForValue>MessageType</fieldForValue>
   <default>*</default>
   <initialValue>*</initialValue>
 </input>
 <input type="dropdown" token="droporg" searchWhenChanged="true">
   <label>Select Org</label>
   <choice value="*">All</choice>
   <search base="searchOrg">
     <query></query>
   </search>
   <fieldForLabel>OrganizationName</fieldForLabel>
   <fieldForValue>OrganizationName</fieldForValue>
   <default>NAM-US-CCP</default>
   <initialValue>*</initialValue>
 </input>
 <input type="dropdown" token="dropspace" searchWhenChanged="true">
   <label>Select Space</label>
   <choice value="*">All</choice>
   <search base="searchSpace">
     <query></query>
   </search>
   <fieldForLabel>Environment</fieldForLabel>
   <fieldForValue>Environment</fieldForValue>
   <initialValue>*</initialValue>
   <default>lab</default>
 </input>
 <input type="dropdown" token="dropapp" searchWhenChanged="true">
   <label>Select App</label>
   <choice value="*">All</choice>
   <search base="searchApp">
     <query></query>
     <earliest>0</earliest>
     <latest></latest>
   </search>
   <fieldForLabel>ApplicationName</fieldForLabel>
   <fieldForValue>ApplicationName</fieldForValue>
   <default>*</default>
   <initialValue>*</initialValue>
 </input>
 <input type="dropdown" token="droporigin" searchWhenChanged="true">
   <label>Select Origin</label>
   <choice value="*">All</choice>
   <search base="searchOrigin">
     <query></query>
   </search>
   <fieldForLabel>Origin</fieldForLabel>
   <fieldForValue>Origin</fieldForValue>
   <default>*</default>
   <initialValue>*</initialValue>
 </input>
 <input type="dropdown" token="dropsource" searchWhenChanged="true">
   <label>Select Source Type</label>
   <choice value="*">All</choice>
   <search base="searchSource">
     <query></query>
   </search>
   <fieldForLabel>SourceType</fieldForLabel>
   <fieldForValue>SourceType</fieldForValue>
   <initialValue>*</initialValue>
   <default>*</default>
 </input>
 <input type="text" token="searchterm" searchWhenChanged="true">
   <label>Search Term</label>
 </input>


 <panel>
   <table>
     <title>LogInfo by Origin, Source, ApplicationName, OrgName, Environment, MessageType</title>
     <search base="baseSearch">
       <query>|table time, origin, cf_org_name, cf_app_name, cf_space_name, source_type, message_type, msg</query>
     </search>
     <option name="wrap">false</option>
     <option name="rowNumbers">false</option>
     <option name="drilldown">cell</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
   </table>
 </panel>


 <panel>
   <table>
     <title>MessageType count by Application</title>
     <search>
       <query>index=index cf_app_name="$dropapp$" |rename cf_app_name as "Application Name" message_type as MessageType |chart count by "Application Name" MessageType usenull=f useother=f|head 9 |sort +"Application Name"|addtotals fieldname="Total" col=t label="Total per Message Type" labelfield="Application Name" |fieldformat Total=tostring(Total, "commas")</query>
       <earliest>$time.earliest$</earliest>
       <latest>$time.latest$</latest>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">true</option>
     <option name="drilldown">cell</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
   </table>
 </panel>


 <panel>
   <table>
     <title>Message Type Count by Origin, Org, App, Space, source and LogInfo</title>
     <search base="baseSearch">
       <query>|eventstats count by Origin,ApplicationName,Environment,OrganizationName, "Log Info",message_type|stats count as "Message Type Count" by Time Origin OrganizationName ApplicationName Environment SourceType MessageType "Log Info"</query>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">false</option>
     <option name="drilldown">cell</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
   </table>
 </panel>


 <panel>
   <table>
     <title>MessageType Count by Organization</title>
     <search>
       <query>index=index cf_org_name="$droporg$" |rename cf_org_name as "Organization Name" message_type as MessageType |chart count by "Organization Name" MessageType usenull=f useother=f | head 9| sort +"Organization Name"|addtotals fieldname="Total" col=t label="Total per Message Type" labelfield="Organization Name" |fieldformat Total=tostring(Total, "commas")</query>
       <earliest>$time.earliest$</earliest>
       <latest>$time.latest$</latest>
     </search>
     <option name="wrap">undefined</option>
     <option name="rowNumbers">undefined</option>
     <option name="drilldown">row</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
   </table>
 </panel>
</form>
0 Karma

Communicator

Thank you,when i select fields explicitly using fields command beside table,its working.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!