All Apps and Add-ons

Sideview Utils app design : Why is new panel "Waiting for search to finish..."?

vspreethi17
Explorer

I am working on adding a panel to a dashboard which already has 5 panels.
Here is the hierarchy,

TimeRangePicker
            |
Pulldown
            |
Switcher
         | 
NullModule(5)
         |
GenericHeader(6)
        |
search(6)
    |
JobProgressIndicator|Pager
                                       |
                                   Table

And here is my Advanced XML for the 6th Panel

      <module name="GenericHeader" layoutPanel="panel_row6_col1">
        <param name="label">... </param>

        <module name="Search">
          <param name="search"><![CDATA[
index=... sourcetype=... Exception | rex ".*?( ?(?:\w+\.)+\w*?Exception).*"| stats count by Exception|sort &#8211;count
]]>

          <module name="JobProgressIndicator" />

          <module name="Pager">

            <module name="Table">

              <module name="ConvertToDrilldownSearch">

                <module name="ViewRedirector">
                  <param name="viewTarget">flashtimeline</param>
                </module>
                <!-- ViewRedirector -->
              </module>
              <!-- ConvertToDrilldownSearch -->
            </module>
            <!-- Table -->
          </module>
          <!-- Pager -->
        </module>
        <!-- Search -->
      </module>
      <!-- GenericHeader -->

Current Result :

Waiting for search to finish...

Expected Result:

Panel with Results

Note: All other 5 panels are working.

Thank you.

1 Solution

sideview
SplunkTrust
SplunkTrust

OK. I think the main problem, strangely, is that you probably don't have a Message module in the view anywhere.

that search, at least as written here, will throw a syntax error in splunk.

In your sort - count, the character you have between sort and count is not actually a hyphen character ,but an escaped emdash. This is quite common when searches pass through email or through microsoft word, because those programs can "help" you by converting your hyphen characters to emdash characters. However I don't think Splunk will like the fancy emdash very much.

And make sure you have a Message module in every view. I think if there was one here, I think you would be getting a relatively informative red error message displayed (and thus not had this mysterious behavior).

I don't see anything else that leaps out as being wrong, although I do strongly advise against using the ConvertToDrilldownSearch module. You should adopt the conventions that the Sideview Linking docs use, and use the Redirector module instead of ConvertToDrilldownSearch and ViewRedirector. Even if it's a bit of a learning curve to switch they are a more open and flat mechanism to control URL redirects.

View solution in original post

sideview
SplunkTrust
SplunkTrust

OK. I think the main problem, strangely, is that you probably don't have a Message module in the view anywhere.

that search, at least as written here, will throw a syntax error in splunk.

In your sort - count, the character you have between sort and count is not actually a hyphen character ,but an escaped emdash. This is quite common when searches pass through email or through microsoft word, because those programs can "help" you by converting your hyphen characters to emdash characters. However I don't think Splunk will like the fancy emdash very much.

And make sure you have a Message module in every view. I think if there was one here, I think you would be getting a relatively informative red error message displayed (and thus not had this mysterious behavior).

I don't see anything else that leaps out as being wrong, although I do strongly advise against using the ConvertToDrilldownSearch module. You should adopt the conventions that the Sideview Linking docs use, and use the Redirector module instead of ConvertToDrilldownSearch and ViewRedirector. Even if it's a bit of a learning curve to switch they are a more open and flat mechanism to control URL redirects.

vspreethi17
Explorer

Thanks for the hint Sideview. I was able to figure out the error with the syntax error thrown. It was very very simple tweak.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...