Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why can't I see results from (JavaScript) SearchManager with double quotes in search?

danillopavan
Communicator
‎10-19-2017 09:55 AM

Hello all,

I am using the object SearchManager for the below query, however it is not returning anything. Executing the same query directly in search, we can find the results. Probably it is something related to the double quotes in the replacement command within the query:

 var myquery=  'sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") |  
         lookup unidadedepara.csv IP OUTPUT PLANTA |   timechart span=1h avg(time_resumo) by PLANTA'

Is there any special way to configure (store) the above query in variable via JavaScript to be executed via SearchManager?

Thanks and regards,
Danillo Pavan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-20-2017 08:03 AM

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-20-2017 08:03 AM

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

0 Karma
Reply
Solved! Jump to solution

danillopavan
Communicator
‎10-20-2017 11:22 AM

Hello elliotproebstel , many thanks for your Support.

Yes, you are correct. I executed the initial of the query without the lookup command, and got the return. Now we found that the lookup command is not working, but why? If I execute the same query via SEARCH and it is working. The lookup table file componente is configure as Global and for all apss (read and write). Don´t know the reason for this query is not working in JavaScript.

Many thanks again!

0 Karma
Reply
Solved! Jump to solution

danillopavan
Communicator
‎10-23-2017 12:06 PM

Hello all,

It is working now. My search query was wrong. I needed to remove one of the replace commands. The problem was not with lookup information.

Thanks and regards

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-23-2017 12:12 PM

Glad you got it fixed!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...