Hi,
I have been working on advanced xml and have written some search logic which looks in two CSV files and run search query and bring two different results. It used to work until something happened which messed up one of my result. So i am reading two csv files, here is my Src Input.conf at Universal Forwarder:
[monitor://D:\Availablity_Analytics\Analytics1.csv]
sourcetype = csv-2
[monitor://D:\\Availablity_Analytics\Analytics2.csv]
sourcetype = csv-3
Both files have content different but i still classified them as different source types
Here is my props.conf at same Universal Forwarder (C:\Program Files\SplunkForwarder\etc\apps\learned\local)
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
On Indexer/Search Head i have same props.conf entry at D:\Splunk\etc\apps\learned\local
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
Now i see indexer summary screen shows two Sources (CSV files) with 2 Summary Fields files and i also see two Source Types. I simply run a search query on second CSV file
source="D:\\Availablity_Analytics\\Analytics2.csv" | rex field=_raw "(?<Date>.*),(?<Poll_Duration>.*),(?<Latency_msec>.*)" | search Poll_Duration>0 | table Date Latency_msec | stats avg(Latency_msec) | rangemap field=avg(Latency_msec) low_small=0-200 medium_small=201-500 default=severe_small
This gives a nice output (the way i want it at Splunk Search)
But interestingly (which used to work earlier) when i run the search from my Advanced XML - then the same search is coming back with "No matching fields exist" - my advanced XML looks like:
<!-- Avail Site -->
<module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Avail Last 24 Hours" autoRun="True">
<param name="search">((source="source="D:\\Availablity_Analytics\\Analytics1.csv") AND (SH)) | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | chart avg(Value) | stats max | rangemap field=max low=99-100 default=severe</param>
<param name="earliest">-24h</param>
<param name="latest">-1m</param>
<module name="SingleValue">
<option name="field">max</option>
<option name="classField">range</option>
<param name="beforeLabel">AVAILABLITY</param>
<param name="afterLabel">%</param>
<param name="linkFields">result</param>
<param name="linkSearch">((source="source="D:\\Availablity_Analytics\\Analytics1.csv") AND (SH)) AND (SH)) | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | stats avg(Value) by Hostname</param>
<param name="linkView">Template_Table</param>
</module>
</module>
<!-- Latency Site -->
<module name="HiddenSearch" layoutPanel="panel_row3_col2" group="Latency Last 24 Hours" autoRun="True">
<param name="search">((source="source="D:\\Availablity_Analytics\\Analytics2.csv") AND (SH)) | rex field=_raw "(?<Date>.*),(?<Poll_Duration>.*),(?<Latency_msec>.*)" | search Poll_Duration>0 | table Date Latency_msec | stats avg(Latency_msec) | rangemap field=avg(Latency_msec) low_small=0-200 medium_small=201-500 default=severe_small</param>
<param name="earliest">-24h</param>
<param name="latest">-1m</param>
<module name="SingleValue">
<option name="field">max</option>
<option name="classField">range</option>
<param name="afterLabel">msec</param>
<param name="linkFields">result,afterLabel</param>
</module>
</module>
First Module (Avail Site ) shows up Avilablity at Dashboard but Second Panel (Latency) Single Value is showing value N/A and at top of dashboard i see "No matching fields exist" in a blue bar. This same search as shown above works fine when you take the search and put in search bar. I have deleted csv indexed data from both CSV files (by .. | delete) multiple times, i have reinstalled Splunk indexer and Search head (test machine) , i have split the source type (as shown above) but still problem is there: any helpful will be greatly appreciated as i am running out of options here. I am running v 5.0.
Try this
<!-- Avail Site -->
<module name="HiddenSearch" layoutpanel="panel_row3_col1" group="Avail Last 24 Hours" autorun="True">
<param name="search">
<![CDATA[
source="D:\Availablity_Analytics\Analytics1.csv" SH | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | chart avg(Value) | stats max | rangemap field=max low=99-100 default=severe
]]>
</param>
<param name="earliest">-24h</param>
<param name="latest">-1m</param>
<module name="SingleValue">
<option name="field">max</option>
<option name="classField">range</option>
<param name="beforeLabel">AVAILABLITY</param>
<param name="afterLabel">%</param>
<param name="linkFields">result</param>
<param name="linkSearch">
<![CDATA[
source="D:\Availablity_Analytics\Analytics1.csv" SH | rex field=_raw "(?<Hostname>.*),(?<Value>.*)" | stats avg(Value) by Hostname
]]>
</param>
<param name="linkView">Template_Table</param>
</module>
</module>
Still same response " No matching fields exist"
and actuall it was the second layout panel Latency which was the issue (first one Avail is just fine)
Are you saying append and close the search string with
"![CDATA[" and "]]" - what does it do? i will try now.