Update: So doing a little more investigation it looks like the line
| search Result="Correct"
is what is actually giving me problems on the dashboard coming out of the post processing search. When I just do the 2nd line of the sub-search it works fine.
I have a very simple query that runs correctly in search, but when I try to use it on a dashboard, it doesn't come back with anything. The raw search is:
earliest=0 index=scoreboard_admin user!=admin Number=3 `get_user_info`
| search Result="Correct"
| stats dc(user) as "Users Who Completed"
Which returns the correct answer (19)
When I put it in my dashboard (as a post-processing search, I don't come up with anything.
<search id="base">
<query>
earliest=0 index=scoreboard_admin user!=admin $QuestionNum$ `get_user_info`
</query>
<earliest>0</earliest>
<latest>now</latest>
<done>
<set token="tokHTML">$result.data$</set>
</done>
</search>
<panel id="users_correct">
<table>
<title>Users with Correct Answer</title>
<search base="base">
<query>| search Result="Correct"
| stats dc(user) as "Users Who Completed"</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
The original post-processing search only returns about 300 records so not worried about hitting that limit. Also, I have another post-processing search based on the same base search that does work just fine.
When I do an inspection on the dashboard, this is what I get
Duration (seconds) Component Invocations Input count Output count
0.00 command.eval 3 317 317
0.00 command.fields 2 317 317
0.02 command.lookup 3 317 317
0.02 command.search 2 - 317
0.03 command.search.expand_search 2 - -
0.00 command.search.filter 1 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.01 command.search.rawdata 1 - -
0.00 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.search.typer 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.timeliner 3 317 317
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.05 dispatch.evaluate.search 2 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.04 dispatch.fetch.rcp.phase_0 3 - -
0.01 dispatch.finalWriteToDisk 1 - -
0.02 dispatch.localSearch 1 - -
0.00 dispatch.readEventsInResults 1 - -
0.02 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.11 startup.configuration 2 - -
0.30 startup.handoff 2 - -
normalizedSearch litsearch (index=scoreboard_admin user!=admin Number=3 _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
numPreviews None
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user)
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | timeliner remote=0 partial_commits=1 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0
pid 22450
priority 5
provenance UI:Dashboard:question_investigator
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin _time>=0.000) | fields keepcolorder=t "DisplayUsername" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "user"
When I do an inspection on the raw Search I get:
Duration (seconds) Component Invocations Input count Output count
0.00 command.addinfo 3 19 19
0.00 command.eval 3 19 19
0.00 command.fields 2 317 317
0.09 command.lookup 3 317 317
0.07 command.search 5 317 336
0.06 command.search.expand_search 2 - -
0.00 command.search.filter 4 - -
0.00 command.search.index 3 - -
0.00 command.search.calcfields 1 1,070 1,070
0.00 command.search.fieldalias 1 1,070 1,070
0.00 command.search.index.usec_1_8 32 - -
0.05 command.search.rawdata 1 - -
0.02 command.search.typer 1 317 317
0.01 command.search.kv 1 - -
0.00 command.search.lookups 1 1,070 1,070
0.00 command.search.parse_directives 2 - -
0.00 command.search.summary 2 - -
0.00 command.search.tags 1 317 317
0.00 command.simpleresultcombiner 3 317 317
0.00 command.stats 4 19 1
0.00 command.stats.execute_input 3 19 -
0.00 command.stats.execute_output 1 - 1
0.00 command.timeliner 3 19 19
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate.eval 2 - -
0.00 dispatch.evaluate.lookup 2 - -
0.10 dispatch.evaluate.search 4 - -
0.00 dispatch.evaluate.simpleresultcombiner 2 - -
0.00 dispatch.evaluate.stats 2 - -
0.12 dispatch.fetch.rcp.phase_0 3 - -
0.00 dispatch.finalWriteToDisk 1 - -
0.07 dispatch.localSearch 1 - -
0.07 dispatch.stream.local 2 - -
0.00 dispatch.timeline 3 - -
0.00 dispatch.writeStatus 2 - -
0.06 startup.configuration 2 - -
0.03 startup.handoff 2 - -
optimizedSearch | search (user!=admin Number=3 earliest=0 index=scoreboard_admin) | lookup ctf_users Username as user| search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | stats dc(user) as "Users Who Completed"
phase0 litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
phase1 simpleresultcombiner max=0 | lookup ctf_users Username as user | search Result="Correct" | eval Team=if((Team != ""),Team,DisplayUsername), Team=if((Team != ""),Team,Username), Team=if((Team != ""),Team,user) | addinfo type=count label=prereport_events track_fieldmeta_events=true | timeliner remote=0 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=* | stats dc(user) as "Users Who Completed"
pid 23844
priority 5
provenance UI:Search
remoteSearch litsearch (user!=admin Number=3 index=scoreboard_admin time>=0.000) | fields keepcolorder=t "*" "DisplayUsername" "Result" "Team" "Username" "_bkt" "_cd" "_si" "host" "index" "linecount" "prestats_reserved" "psrsvd_" "source" "sourcetype" "splunk_server" "user"
... View more