Splunk Search

Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4

psharkey
Explorer

Splunk Enterprise v6.0.4 (build 207768).

Search works inside the Search & Reporting app and a few other apps. By that I mean if your search terms are syntactically correct and there are matching events, they will be returned.

However, in some apps with embedded search capability, nothing is returned when you enter search terms and select the magnifying glass button. If you use the same search terms in the Search & Reporting app, results will get returned.

The account that I am logged in with is in the admin role. Users with the admin role are allowed to search all indexes.

We recently upgraded from Splunk Enterprise 5.0.4. I am not sure if this behavior started when we upgraded or since then.

Examples of apps where Search does function:

  • Search & Reporting v6.0.4
  • Cisco IOS v1.3.2
  • *NIX 4.6 v4.6 (Build 133346)

Examples of apps where Search does not function include:
  • Splunk for Blue Coat v3.0.7 (Build 30007)
  • Cisco Security Suite v3.0.3 (Build 100784)
  • Splunk App for Microsoft Exchange v2.1.1

These apps are compatible with Splunk 6.0. App permission settings look appropriate.

Any ideas?

Tags (3)
1 Solution

alterdego
Path Finder

I had a similar issue after the upgrade to 6.x from 5.x. In my instance it was related to flashtimeline in version 5.x versus search in version 6.x. What I ended up doing was getting a copy of the flashtimeline xml file from a version 5.x search app and adding it to the data/ui/views/ folder of the apps where it wasn't working.

For me it was somewhat similar to the issue described here:
http://answers.splunk.com/answers/104477/splunk-6-flashtimeline-conversion-to-search-assigning-chart...

or the opposite of what is described here:
http://answers.splunk.com/answers/112171/app-has-an-overriding-copy-of-the-flashtimelinexml

View solution in original post

alterdego
Path Finder

I had a similar issue after the upgrade to 6.x from 5.x. In my instance it was related to flashtimeline in version 5.x versus search in version 6.x. What I ended up doing was getting a copy of the flashtimeline xml file from a version 5.x search app and adding it to the data/ui/views/ folder of the apps where it wasn't working.

For me it was somewhat similar to the issue described here:
http://answers.splunk.com/answers/104477/splunk-6-flashtimeline-conversion-to-search-assigning-chart...

or the opposite of what is described here:
http://answers.splunk.com/answers/112171/app-has-an-overriding-copy-of-the-flashtimelinexml

psharkey
Explorer

Thanks alterdego. Your recommendation resolved the problem that I was experiencing.

0 Karma

mikaelbje
Motivator

I experienced the same thing happening with the search view. Linking this with a thread where a fix was found: https://answers.splunk.com/answers/219784/new-app-old-4350-style-search-view.html

The search.xml view was exported globally from an app that was initially created for Splunk 5 and thus overrode the search.xml view exported from the search app. The app causing the trouble was sec_one_dns which takes precedence over the search app's search.xml file because of ASCII order.

The reason the Search view in the Cisco IOS app works (I'm the author, by the way) is that is ships its own search.xml which is just a copy of the search.xml from the search app.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...