When I run this search:
index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs |
rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message
I get these results:
However, when I try to do the same thing using this Advanced XML:
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search"><![CDATA[index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs |
rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message]]></param>
<module name="JobProgressIndicator"></module>
<module name="Pager">
results
<module name="Table">
<param name="hiddenFields">"level"</param>
<param name="name">click</param>
<module name="Redirector">
<param name="url">flashtimeline</param>
<param name="arg.q">search index=_internal AND "$click.fields.Message$"</param>
<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>
</module>
</module>
</module>
</module>
(Please forgive the poor formatting. I couldn't get the XML to display properly as code.)
I get these results:
Level Trend Occurs Message
ERROR
##__SPARKLINE__##
0
4
1
0
5
0
5
0
5
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
5
0
5
0
4
1
0
5
0
6
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
106
Login failed: Username and password are required
ERROR
##__SPARKLINE__##
0
2
1
0
3
0
3
0
3
0
3
0
0
3
0
3
0
3
0
1
2
0
3
0
3
0
3
0
3
0
0
3
0
6
0
3
0
0
3
0
3
0
3
0
0
3
0
3
0
66
Login failed. Incorrect login for user: admin
This looks like a bug in Sideview Utils. How can I get the dashboard to look like the search?
... View more