Do saved searches use field aliases?

jizzmaster · ‎06-10-2015

I have a few reports in a savedsearches.conf which are running and their status shows as done. I have them results collecting to a summary index. Only one of four are working though. It seems that the one working one is not referencing any fields that were created via field aliases.

These reports in savedsearches.conf are searches, and therefore all normal searchtime actions should apply, yes? When I run the same search string from the GUI, it works. Something is apparently different from the conf file, though.

jizzmaster · ‎06-17-2015

As I'm digging more, it appears the problem is bigger than I expected. Iam unable to collect data into a summary index. Getting odd behavior. Some stuff works, other stuff does not.

This works:

index=security sourcetype=dbx2 source=ca_owned_resource inactive=0 resource_status=2600 OR resource_status=0
resource_family=362243 OR resource_family=3622436 OR resource_family=3622435 OR resource_family=3622486 OR resource_family=3622488 OR resource_family=3622500 OR resource_family=3622458 OR resource_family=3622454 OR resource_family=3622491 OR resource_family=3622492 |dedup resource_name |stats count(resource_name) as asset_mgmt.cmdb.active |collect index=summary

This does not:

index=security sourcetype=nmap_xml host.status{@state}=up earliest=-5d |stats first(host.status{@state}) as State by ip |stats count(State) as Count |rename Count as asset_mgmt.nmap_xml.ip.live |collect index=summary

Both searches, per se, work fine. But the collection part does not work on the latter query. Each search query provides a number value as expected. When I look at the summary index (index=summary asset_mgmt) right after running each query, only the first search comes up. It does not matter the user I run it as; typical user, power user, or admin. I have also tried this on different searchheads but have the same result. Overall, I have three search strings that will not record into the summary index, and one that will. Other stuff is indexing, such as the MS Exchange app.

But this seems to make this original question moot now. I will be opening a new question with this info.

woodcock · ‎06-10-2015

Are you running the saved searches as the same user as "you" when you are running them manually from the GUI? You clearly have a scoping problem for the field alias configuration. You can try setting the permissions on the ALIAS Knowledge Object to "global for all apps" and this will probably do it: Settings -> Fields -> Field aliases -> search.

jizzmaster · ‎06-16-2015

Different user. But the fieldaliases are already shared globally. Which means, they should apply during an execution of the a report in savedsearches.conf.

When I inspect the job, it says "done." Meaning it is running, and successfully. But I'm collecting them into the summary index. Yet it never shows up. Actually, one out of four do. The one that does does not use any aliases. The ones that fail use aliases and field extracts, too (all of which work when I use the same search query).

woodcock · ‎06-16-2015

You really need to prove this with showing us your data. What is inside yourmeta files and where are they? Something is wrong with your permissions or scoping but you have not given us anything to evaluate.

Do saved searches use field aliases?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!