Hi
My search :
index="abc" (source="tac.log" DebugLevelSrc=xxx "*ccc*") OR (source="crt.log" DebugLevelSrc=xxx "*ccc*" ) OR (source="mat.log" DebugLevelSrc=xxx "*ccc*" ) | replace "tac.log" WITH "QA Log" in source | replace "crt.log" WITH "DEV Log" in source| replace "mat.log" WITH "UA Log" in source | stats count by source
The above search works fine interactively (in splunk search box) but not in dashboard.
Splunk version used 6.1.3
Tried !CDATA [ tag but didnt work. and search doesn't have any regex
Please tell me whats going wrong in my search
BTW, this has nothing to do with automatic simple XML Dashboard (the tag you added for this question), as that add-on is used to generate timecharts from a simple CSV file definition to quickly get trending dashboards.
Anyway, here's how you may debug your search. Make it simpler to test:
index="abc" (source="tac.log" DebugLevelSrc=xxx "ccc") |replace "tac.log" WITH "QA Log" in source | stats count by source
If that works in search and doesn't work in dashboards, then, click on the little i in the panel for inspect in search (there is also an option to open in search) to see what search is run behind the scenes. If that search works in "open in search" and not in the the dashboard, then, you may want to contact support.
Could you post your non-working dashboard code?
BTW, this has nothing to do with automatic simple XML Dashboard (the tag you added for this question), as that add-on is used to generate timecharts from a simple CSV file definition to quickly get trending dashboards.
Anyway, here's how you may debug your search. Make it simpler to test:
index="abc" (source="tac.log" DebugLevelSrc=xxx "ccc") |replace "tac.log" WITH "QA Log" in source | stats count by source
If that works in search and doesn't work in dashboards, then, click on the little i in the panel for inspect in search (there is also an option to open in search) to see what search is run behind the scenes. If that search works in "open in search" and not in the the dashboard, then, you may want to contact support.
Thanks ndoshi
It worked !!
Problem was this field " DebugLevelSrc=xxx" which i've extracted had private permission. so search didn't work in dashboard.