- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does my search work in the Search and Reportin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does my search work in the Search and Reporting app, but not in the traffic light example XML dashboard?
Hi,
we are trying to construct a search to provide server health information base upon the traffic light example to show green light if all is okay...and so on.
Our search tells us a number of files to synchronize with other server and with the rangemap option we should be able to display a right picture.
Here is our search:
index="vaultlogs" earliest="-7d" | spath Message | search Message=BacklogsPerServer "Properties.BL.ReceivingMemberServerOnly"="brasov-ad2" | spath "Properties.BL.Backlog" output=backlogs | stats first(backlogs) as value| rangemap field=value low=0-2000 elevated=2001-5000 severe=5001-500000 default=low
If we use it in the search, that tell us that we have a value of 6 and the range is low, but when i transfer the search into the traffic light example XML dashboard....i have a "N\A" text display instead of the corresponding traffic light image.
Here is the first xml part :
<dashboard stylesheet="trafficlight.css">
<label>Traffic Light Examples</label>
<description>Build traffic light visualisations into your app using this guide.</description>
<row>
<single>
<title>None</title>
<searchString>index="vaultlogs" earliest="-7d" | spath Message | search Message=BacklogsPerServer "Properties.BL.ReceivingMemberServerOnly"="brasov-ad2" | spath "Properties.BL.Backlog" output=backlogs | stats first(backlogs) as value| rangemap field=value low=0-2000 elevated=2001-5000 severe=5001-500000 default=low</searchString>
<earliestTime>-7d</earliestTime>
<latestTime>now</latestTime>
<option name="classField">range</option>
<option name="field">value</option>
</single>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First thing I'd look at is to run the search from within the app to be sure there isn't some odd permissions situation.
Easiest way to do that is to go to Settings>User Interface>navigation menus>default.
add the following to the menus for the Traffic Light App(and correct some wierdness):
<nav search_view="search" color="#FDC95A">
<view name="traffic_light_examples" default='true' />
<view name="search" />
<view name="dashboards" />
</nav>
Now you'll have a link to the search view and dashboards and just make your life easier.
Run your search in the search view within the traffic light app.
That'll tell you whether your environment has some kind of unknown restrictions on your data access. (I can't think of why, but getting data from within the app is a good first step)
I would also add a panel to your test dashboard that just shows the statistics, that way you will see if you are getting data in that context and that will help you pinpoint where to troubleshoot. I don't see anything wrong with the search or your code.
So the only thing left is data retrieval and permissions. If it was the other way around, (not working in search app) then we'd know that because the Traffic App has APP permissions that you don't have access from the search app... the other way around is going to point to custom permissions or some nuance that isn't obvious unless you can poke around.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
