Reporting

Pivot not showing results even though clicking the "open in search" option shows results

aholzer
Motivator

I'm building out a simple pivot data model with what I thought was a very straight forward search. When I first created the data model, and viewed it in the pivot view, it was displaying data. Then I added some child objects and now none of the objects display any results. But if I hit the "open in search" button (top right), the new search window that opens does in fact display results.

The search:
index=myindex source=mysource | dedup my_id sortby -_time

The children were basically coded to be data for only TODAY, Last30Days and Last7Days. This is when data stopped being displayed for any of the objects.

I've tried the following to make results come up again, with no success:

  • Deleting the children
  • Making a clone
  • Creating a brand new data model with the same root search
  • Changing the base search slightly:

index=myindex source=mysource earliest=-30d@d | dedup my_id sortby -_time

  • Using the "rebuild acceleration" option in the pivot page

None of the above changes have made results appear again on my pivot page. If I run the searches in a flashtimeline view I get results. And like I said, I even get results by using the "open in search" button from the pivot page.

Any ideas how to get results to start displaying again?

I believe this is a bug.

===== UPDATE =====

I have now also tried the following:
- Restarting the search head
- Deleting ALL the data models and creating a new one

The second one has given me mixed results. When I open the pivot view based on the data model and object, I don't get any results. But sometimes when I refresh (F5) the pivot view, I will get results, other times when I refresh I still don't get any results. If I close the pivot view and reopen it then it goes back to having no results.

This inconsistent behavior has got to be a bug...

===== UPDATE 2 =====

I managed to get a pivot that was showing data and I could change the split rows and column values around and still got data. I shared the link with a coworker but he didn't get any data... (and yes, I made sure to make the data model have app level permissions)

Tags (2)

dbylertbg
Path Finder

did this ever get resolved??

0 Karma

aholzer
Motivator

No resolution that I'm aware of. We had to go with a different solution

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Could you attach the .json file for the data model you're working with? If it's shared at the app level, you should be able to find it at /etc/apps//local/data/models/.json

0 Karma

btorresgil
Builder

I'm having the same issue, but with the CIM datamodels. CIM app version 4.2.0, tested on Splunk 6.2.6 and 6.3.0 with same result.

When I view the datamodels for the CIM app in pivot, I get no results, but if I click "Open in search" on that same pivot it does show the results.

0 Karma

svaughnbehrens
Engager

Did you ever find a resolution to the problem? I've also been encountering the same problem with CIM 4.2 and Splunk 6.3, and haven't found a way around the issue yet.

0 Karma

btorresgil
Builder

Never found a complete explanation or solution. I find that when I'm not getting results in a pivot, if I turn on datamodel acceleration sometimes I start getting results in the pivot.

0 Karma

aholzer
Motivator

@btorresgil and @svaughnbehrens , I never got a solution to this problem. We moved away from pivots for this particular solution.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

So far I'm not able to reproduce the problem. I modified your data model to have the following base search:

index=_internal source=*splunkd_access.log earliest=-30d@d | dedup date_hour sortby -_time

The results always show up in pivot. I can add a child with a custom constraint and everything works fine. Is there anything special about the data you're using?

0 Karma

bwindham
Path Finder

sorry to jump on this thread, but how do you create a data model with "|" pipe in the base search? I keep getting errors that "|" pipe is not allowed. I used your reference to json to find the data model and edited it and it still said pipes were not allowed. I want to do pretty much the same thing your example had and dedup the base search.

0 Karma

aholzer
Motivator

I attached the file to the ticket and sent it to you personally as well. Let me know when you have had a chance to look at it. Thanks

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Sorry about that: sfishel@splunk.com. I'm not with support but I was one of the engineers on the pivot project.

You should definitely attach the file to the open ticket, and if you don't mind sending it to me as well I can start looking into it.

0 Karma

aholzer
Motivator

Can't seem to find your contact info... Are you Splunk support? I can attach the file to the open ticket if you are.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Hmm yeah I guess you can't attach files, only images. If you don't want to paste the contents, you can email the file to me.

0 Karma

aholzer
Motivator

I'm not sure how to attach a file...

And I don't just want to paste the contents because it's actually really long (600+ lines)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...