I built an app for a new group of users and I used the Welcome Page Creator app to create its home page. It is a very simple page that has the example panels from Welcome Page Creator plus one custom panel to show the users what indexes they can search. On my development node it looks like this:
That is exactly the way I want it, but when I deploy it to my search head cluster (SHC) it looks like this:
The errors say:
[subsearch]: No matching fields exist
Field 'srchIndexesAllowed' does not exist in the data.
When I run the query from Search on my SHC it works perfectly, but always throws those two errors in the pane.
Here is thepanel's XML:
<panel>
<title>Indexes You Can Search</title>
<table>
<search>
<query>| rest /services/authentication/current-context | search NOT username="splunk-system-user" | fields roles
| table roles
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles
| table title srchIndexesAllowed
| rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed
| join type=left max=999 srchIndexesAllowed
[ rest /services/data/indexes splunk_server=*indexer01
| table title
| eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*")
| rename title as IndexesAllowed]
| stats values(*) as * by roles
| fields - Indexes*
| rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"</query>
</search>
</table>
</panel>
@sloshburch, go ahead. (Send me Karma LOL)
I also put a row at the top of the dashboard with this:
<dashboard>
<label>Welcome</label>
<search>
<query>| rest /services/authentication/current-context | search NOT username="splunk-system-user" | fields username, realname</query>
<finalized>
<set token="Xusername">$result.username$</set>
<set token="Xrealname">$result.realname$</set>
</finalized>
</search>
<row>
<panel>
<html>
<style>
.welcome-header {
padding: 10px;
margin-left: auto;
margin-right: auto;
min-height: 150px;
background: #2d3750 50% 50% no-repeat url('/static/app/ss_devops/img-devops-share-small.jpg');
color: #ffffff;
}
</style>
<div class="welcome-header">
<p>
<h1>Splunk at My Company!</h1>
<h2>$Xrealname$ ($Xusername$)</h2>
</p>
</div>
</html>
</panel>
</row>
Hang on to your keyboard but if you're using recent versions of Splunk you can avoid all that complexity and simply do:
<h2>$env:user_realname$ ($env:user$)</h2>
I was hanging on to my keyboard, but it's wireless, so when I fell over it just went with me.
Boom. Global. Tokens.
This is brilliant! Would you be cool with me adding it (or a similar panel) to the Welcome Page Creator? I'd give you credit, of course.
Dude, where's my credit in version 2.5? LOL
Your panel isn't in 2.5. It's in the code for the next release. 2.5 came out before we had this conversation.
LOL, just hassling ya bud.
I'd first clean up the search:
current-context
is never going to return splunk-system-user
in a dashboardfields | table
is redundantjoin
is made useless by the following fields
As for the actual question, I'm guessing your development environment is a standalone splunk while your production environment uses distributed search? If so, add splunk_server=local
to the rest
commands that should query the search head.
That search works for me in a dashboard:
<dashboard>
<row>
<panel>
<table>
<search>
<query>| rest /services/authentication/current-context splunk_server=local | fields roles
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles splunk_server=local
| table title srchIndexesAllowed
| rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed
| stats values(*) as * by roles
| rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"</query>
</search>
</table>
</panel>
</row>
</dashboard>
That is also my panel. I'm at a loss.
The search is working fine.
I'm on 6.5.2 in my SHC and it works in both search and panel form. I also don't see any strange characters that would need to be escaped that could be causing an issue. What version are you on and is it the same as your development node?
Use local with both current-context and roles - else you're querying all search peers which might have entirely different roles. The users endpoint shouldn't be necessary.
So I have this which works perfect in search, but from the panel still says that " Field 'srchIndexesAllowed' does not exist in the data."
| rest /services/authentication/current-context splunk_server=local | fields roles
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles splunk_server=local
| table title srchIndexesAllowed
| rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed
| stats values(*) as * by roles
| rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"
Yes, my dev system is standalone.
Do you mean I should use splunk_server=local
with current-context
or users
on the SH? I am assuming current-context
, because users
returns every role on the search head and not just mine (when I test it should only return my admin role)
LOL the second join - crap. I was editing a copy from https://answers.splunk.com/answers/260126/how-can-i-search-a-list-of-users-with-all-the-role.html and I missed that fields
.
This revision works in Search on the search heads:
| rest /services/authentication/current-context | fields roles
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles
| table title srchIndexesAllowed
| rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed
| stats values(*) as * by roles
| rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"
It returns:
Your Roles
Indexes You Can Search
admin
*
_*
splunk-system-role