I have a saved search, which is used as the base search for my dashboard. There is no issue getting events from the saved search to show up fully on the dashboard.
As a part of post processing, I use the transaction command in different ways on the events. When I use this command in one of my post processing searches and include the startswith or endswith arguments for transaction, a "no results" is returned. However this is obviously wrong in my case; when I open the "no results" dash in a search, it returns the expected grouped events. Similarly, when inspecting the "no results" dash panel search, it reports returning x events and does not mention anything about a lack of results.
Again, this is only a problem when including startswith or endswith in a post-process dash panel search using a saved search as a base search. when using transaction without these arguments, there is no issue - however I really need these as a part of my search.
Does anybody know why transaction would be removing all events in this very specific case?
@luclepot instead of transaction, see if you can use stats for correlation. http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
Also see if you can move stats to base search rather than post-process search. http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices
Hi @luclepot,
It should not be a problem with transaction but seems to be field extraction. If the startswith and endswith "fields" are extracted field, then try explicitly mentioning in the search by using field
. By default dashboard runs on Smart Mode which might not be extracting all fields. Reference : http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Changethesearchmode
So try your search terms|"other field extractions" | fields startswith,endswith ,other required fields | rest of your search