Reporting

Troubleshooting help - Report fails, but query runs in search

deepak02
Path Finder

Hi,

We have a query like this:

app="SampleApp" env="PROD" "SalesDashboard" 
| rex field=_raw "\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d+\s\|\s\w+\s\s\|\s\[\w+\]\s\|\s\[\w+\.\w+\.\w+\]\s\|\s((?<SaleName>\w+)\,)?(?<Date>\d+\-\d+\-\d+)\,(?<SaleID>\w+)\,(?<BusinessType>\w+)\,(?<SaleType>\w+)\,(?<SaleStatus>\w+)\,(?<SaleCount>\d+)" 
| fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount 
| where isnotnull(Date) AND isnotnull(SaleID) AND isnotnull(BusinessType) AND isnotnull(SaleType) AND isnotnull (SaleStatus) AND isnotnull(SaleCount) 
| table SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

The query runs when I go to Reports -> Open in Search
- Refer below for screenshot
The query fails when I go into the report(Sales Dashboard) -> Edit -> Open in Search. The error thrown is 'No matching fields exist'.
- Refer below for screenshot

alt text
When I go into 'Inspect Job':

Value when the query works in Reports -> Open in Search

  • search (app="SampleApp" env="PROD" "SalesDashboard") | rex field=_raw "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d+\s|\s\w+\s\s|\s[\w+]\s|\s[\w+.\w+.\w+]\s|\s((?\w+)\,)?(?\d+-\d+-\d+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\w+)\,(?\d+)" | where (((((isnotnull(Date) AND isnotnull(SaleID)) AND isnotnull(BusinessType)) AND isnotnull(SaleType)) AND isnotnull(SaleStatus)) AND isnotnull(SaleCount)) | fields SaleName,Date,SaleID,BusinessType,SaleType,SaleStatus,SaleCount

Value when the query fails in report (Sales Dashboard)-> Edit -> Open in Search

  • This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

alt text

over the time range: 5/17/17 12:00:00.000 AM - 5/17/17 9:00:00.000 AM did not return any data.

Possible solutions are to:
• relax the primary search criteria
• widen the time range of the search
• check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:
• info : No matching fields exist

Please help me troubleshoot.
NOTE: I am using Splunk Enterprise.

Thanks,
Deepak

Tags (1)
0 Karma

woodcock
Esteemed Legend

The problem may be the app in which the searches/dashboard are running (they are different between the 2). You can easily tell this by show us the 2 URLs up until the first question mark.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...