All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field results lost passing search result

kragel
Path Finder
‎03-07-2014 02:49 PM

Somehow I'm losing the results of my msgid field for a search. I'm trying to debug what is happening and I'm not getting anywhere. I'd really appreciate any ideas.

The first search returns the qid, the second search searches on the qid value and the text msgid, the third search is supposed to search on the value msgid returned from the second search. But msgid is blank. The second search locates the right information and the correct information is displayed in the table but the msgid value is blank so I can't pass it to the third search.

<module name="TextField" layoutPanel="panel_row1_col1">
  <param name="name">to_address</param>
  <param name="float">left</param>
  <param name="label">Enter the TO: address to search on</param>
  <module name="Button">
    <param name="allowSoftSubmit">True</param>
    <module name="TimeRangePicker">
      <param name="default">Last 4 hours</param>
      <module name="DashboardTitleBar" layoutPanel="viewHeader"/>
      <module name="HTML" layoutPanel="panel_row1_col1">
        <param name="html">
          <![CDATA[Select a message below to get more information.]]>
        </param>
      </module>
      <module name="Search">
        <param name="search">host=smtphost* $to_address$.procmail ctladdr | table _time,from,to,host,qid | sort -_time</param>
        <module name="JobProgressIndicator"/>
        <module name="Pager">
          <param name="count">10</param>
          <module name="Table">
            <param name="hiddenFields"></param>
            <module name="HTML">
              <param name="html">
                <![CDATA[The first search was=$search$<br>qid=$row.fields.qid$]]>
            </param>
          </module>  
          <module name="HTML" layoutPanel="panel_row1_col1">
            <module name="TimeRangePicker">
              <param name="default">Last 4 hours</param>
              <module name="Search" autoRun="False">
                <param name="search">$row.fields.qid$ msgid | table _time,from,msgid,qid</param>
                <module name="JobProgressIndicator"/>
                <module name="Pager">
                  <param name="count">10</param>
                  <module name="Table">
                    <param name="hiddenFields"></param>
                      <module name="HTML">
                        <param name="html"><![CDATA[The second search was=$search$<br>from=$row.fields.from$<br>msgid=$row.fields.msgid$<br>qid=$row.fields.qid$]]>
                        </param>
                      </module>
                      <module name="Search" autoRun="False">
                        <param name="search">"hdr_mid=$row.fields.msgid$" | table _time,subject,qid</param>
                        <module name="JobProgressIndicator"/>
                        <module name="Pager">
                          <param name="count">25</param>
                          <module name="Table">
                            <param name="hiddenFields"></param>

The Output:

The second search was=s27I9aXu008416 msgid | table _time,from,msgid,qid

from="username omitted"@"domain omitted".com

msgid=

qid=s27I9aXu008416

Reply
1 Solution
Solved! Jump to solution
Solution

kragel
Path Finder
‎03-11-2014 12:07 PM

I worked around the issue by using eval to assign the value to a new variable and then working with the new variable.

View solution in original post

Reply
Solved! Jump to solution

kragel
Path Finder
‎03-12-2014 12:46 PM

Ok, I cleaned those up. thanks!

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-12-2014 11:06 AM

Also those autoRun="False" attributes are not doing anything and you should remove them. You want exactly one autoRun="True", and it should be on one module near the top of the view. I assume in this view there's an autoRun="True" up at the top on some module like URLLoader. If you have multiple autoRun="True" attributes that's bad and it can cause spooky behavior not unlike this problem, fwiw.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-11-2014 12:58 PM

Sorry I didn't come up with an answer. That's outright bizarre. I'm glad just renaming the field fixed it though.... There shouldn't be anything special about $row.fields.msgid$ certainly.... If you ever see anything else similar or weird let me know.

0 Karma
Reply
Solved! Jump to solution
Solution

kragel
Path Finder
‎03-11-2014 12:07 PM

I worked around the issue by using eval to assign the value to a new variable and then working with the new variable.

Reply
Solved! Jump to solution

kragel
Path Finder
‎03-10-2014 01:49 PM

Yes, that is correct. Thank you.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-09-2014 11:40 PM

So to make sure I understand, the second Table does display values for the msgid field, but when you click on a row in that second Table the HTML module underneath says $row.fields.msgid$ is blank?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...