Hi,
We have a query like this:
app="SampleApp" env="PROD" "SalesDashboard"
| rex field=_raw "\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d+\s\|\s\w+\s\s\|\s\[\w+\]\s\|\s\[\w+\.\w+\.\w+\]\s\|\s((?<SaleName>\w+)\,)?(?<Date>\d+\-\d+\-\d+)\,(?<SaleID>\w+)\,(?<BusinessType>\w+)\,(?<SaleType>\w+)\,(?<SaleStatus>\w+)\,(?<SaleCount>\d+)"
| fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount
| where isnotnull(Date) AND isnotnull(SaleID) AND isnotnull(BusinessType) AND isnotnull(SaleType) AND isnotnull (SaleStatus) AND isnotnull(SaleCount)
| table SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount
The query runs when I go to Reports -> Open in Search
- Refer below for screenshot
The query fails when I go into the report(Sales Dashboard) -> Edit -> Open in Search. The error thrown is 'No matching fields exist'.
- Refer below for screenshot
When I go into 'Inspect Job':
Value when the query works in Reports -> Open in Search
Value when the query fails in report (Sales Dashboard)-> Edit -> Open in Search
over the time range: 5/17/17 12:00:00.000 AM - 5/17/17 9:00:00.000 AM did not return any data.
Possible solutions are to:
• relax the primary search criteria
• widen the time range of the search
• check that the default search indexes for your account include the desired indexes
The following messages were returned by the search subsystem:
• info : No matching fields exist
Please help me troubleshoot.
NOTE: I am using Splunk Enterprise.
Thanks,
Deepak
The problem may be the app
in which the searches/dashboard are running (they are different between the 2). You can easily tell this by show us the 2 URLs up until the first question mark.