Splunk Dev

Why can't I see results from (JavaScript) SearchManager with double quotes in search?

danillopavan
Communicator

Hello all,

I am using the object SearchManager for the below query, however it is not returning anything. Executing the same query directly in search, we can find the results. Probably it is something related to the double quotes in the replacement command within the query:

 var myquery=  'sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") |  
         lookup unidadedepara.csv IP OUTPUT PLANTA |   timechart span=1h avg(time_resumo) by PLANTA'

Is there any special way to configure (store) the above query in variable via JavaScript to be executed via SearchManager?

Thanks and regards,
Danillo Pavan

0 Karma
1 Solution

elliotproebstel
Champion

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

View solution in original post

0 Karma

elliotproebstel
Champion

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

0 Karma

danillopavan
Communicator

Hello elliotproebstel , many thanks for your Support.

Yes, you are correct. I executed the initial of the query without the lookup command, and got the return. Now we found that the lookup command is not working, but why? If I execute the same query via SEARCH and it is working. The lookup table file componente is configure as Global and for all apss (read and write). Don´t know the reason for this query is not working in JavaScript.

Many thanks again!

0 Karma

danillopavan
Communicator

Hello all,

It is working now. My search query was wrong. I needed to remove one of the replace commands. The problem was not with lookup information.

Thanks and regards

0 Karma

elliotproebstel
Champion

Glad you got it fixed!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...