[RESOLVED]: See notes below.
Below is a search I am using in a dashboard in a HiddenSearch module:
search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent
The dashboard shows "No results found."
When I hit "Inspect", I get a message like this:
This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:
the search string shown above with everything after the first | highlited.
over the time range:
[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]
generated no results.
But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.
Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.
[Resolved] This little issue wasted a few hours of mine!
I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.
Might be a issue with special characters or maybe something with the spaces in the eval. Try this...
<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>
After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.
Yes, I'm using advanced XML.
Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:
<param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
| fields Connection, count, percent
</param>
I did change the "eval" line. But that was not the problem.
Try removing "search" command from your search [start directly with index-....]
are you using advanced xml?